Question: Has the U.S. Social Security Administration been informed by Hawaii’s Department of Health about the death records data breach? Does SSA have safeguards in place to prevent someone who accessed the death records from changing the recipient of SSA survivor benefits, addresses or bank information?
Answer: “DOH has notified the SSA. We defer to the SSA regarding their safeguards to prevent any fraudulent claims,” DOH spokesperson Shawn Hamamoto said in an email Friday.
A Social Security spokesperson was unable to answer your questions Friday, saying she needed more time to research the matter.
Yours is one of numerous questions received after the DOH said Thursday that its Electronic Death Registration System had been compromised. Death records of 3,400 people who died from 1998 to 2023 might have been viewed by at least one unauthorized user Jan. 20; 90% of the deaths occurred in 2014 or earlier, it said. The records contained the decedent’s name, Social Security number, address, sex, date of birth, date of death, place of death and cause of death — information prized by identity thieves.
The department is mailing letters to people listed in the EDRS as the surviving spouse and/or the person who reported the death to the mortuary, notifying them of the breach.
Q: How can DOH be sure it will reach all affected surviving spouses with mailed letters? I have moved since my husband died and my “mail forward” has expired.
A: It can’t. We’ve heard from other readers with similar concerns, which we shared with DOH. Hamamoto provided the following response, which lists a telephone contact for people in your situation who meet certain criteria.
“We are mailing notices to the surviving spouse and/or the person who reported the death to the mortuary at the contact information we have on record. Notices are being mailed immediately, but may take a few days to a week to arrive. Those who have relocated, have not received a letter and are concerned that they will not receive a mailed notice, and have any remaining unsettled matters such as accounts, estate, life insurance claims or Social Security survivor benefits, can call the DOH at 808-586-4462,” he said.
DOH can release information only to those listed as the surviving spouse and/or person who reported the death, he emphasized.
Q: What exactly should affected survivors do to limit harm from the unauthorized access of their spouse’s personal identifiable information, which thieves may use to try to open fraudulent credit and financial accounts in the dead person’s name, illegally obtain government benefits or divert Social Security benefits from a rightful beneficiary? Will the appropriate steps be covered in the letter that DOH is mailing? Will the DOH pay for monitoring services for affected survivors?
A: “We encourage individuals to remain vigilant with regard to any remaining unsettled matters such as accounts, estate, life insurance claims or Social Security survivor benefits and to contact the parties handling such matters,” Hamamoto said.
No, the letter doesn’t give step-by-step instructions or mention monitoring; it contains basically the same information as the DOH released Thursday, according to a copy provided to Kokua Line.
You mentioned some risks from this type of identity theft, and there are others as well, including the potential draining of financial accounts from which the deceased person’s name was not removed and the filing of fraudulent tax returns.
The nonprofit Cybercrime Support Network has a to-do list after “deceased family member identity theft,” which is sometimes called ghosting. Read it at 808ne.ws/DFMIT, or via its homepage, fightcybercrime.org.
Q: Auwe! This was preventable! The government must do a better job protecting information!
A: “In response to this incident, we are in the process of expeditiously implementing new security measures for (Electronic Death Registration System) external accounts, including a requirement for more complex passwords, multi-factor authentication, and automatic account disabling following a period of inactivity. We are also conducting a security review of external accounts for all of our systems,” Health Director Kenneth Fink said in the letter being mailed to affected survivors.
The unauthorized access was possible because the EDRS log-in credential of a former medical certifier at Tripler Army Medical Center remained active after the employee left the job in June 2021. The credential was compromised and sold on the internet. The DOH disabled the credential Jan. 23, the day it learned of the breach.
Q: Who sold the log-in code?
A: “The investigation identified two IP addresses: one located in Kentucky and one in the Netherlands. The Office of Homeland Security was informed of the breach,” Hamamoto said.
Write to Kokua Line at Honolulu Star-Advertiser, 500 Ala Moana Blvd., Suite 7-500, Honolulu, HI 96813; call 808-529-4773; or email kokualine@staradvertiser.com.