Medicare.gov Ignores Security Problem Loses Disabled Woman's Identity
Marjorie, a disabled 51 year old woman, lost her identity and she doesn’t even know it yet. Her data was mixed with another person’s data. Worse than just losing her identity, Medicare caused the loss and failed to fix it when told of the problem.
My mother receives Social Security, and is on Medicare Part A, B, C and D. She was setting up her online access to her Part C. These programs each have a separate online account even though all of it is overseen by Medicare and linked to Social Security. So she has a minimum of three online accounts and possibly five depending on which Part D plan she receives. Naturally she forgot the login information for one of the accounts.
My mother went to the www.Medicare.gov web site tried to login and was frustrated so she clicked the “Forgot Password” button. She entered her SignInID and Secret word. She changed her password and a confirmation email was sent to her registered email account. No problem, right? WRONG!!!
My mother changed the password and logged on but it said the account belonged to a woman named Marjorie who lives in another state. When my mother logged in she got Marjorie’s account with all of her medical data.
Being concerned about messing up some other woman’s account and worried that her own account was now lost, my mother immediately called the Medicare help desk. The operator at Medicare said they could not fix the mistake and dismissed my mother’s concerns. They told her the problem would be fixed when Marjorie received a letter in the mail telling her the account had been created. A few days later a letter for Marjorie arrived at my mother’s address. So Marjorie’s account has been compromised and she probably doesn’t even know it and Medicare, doesn’t care.
I knew we couldn’t trust Medicare to fix the problem. I’ve designed hundreds of software systems including several financial systems for major banks, insurance systems, INS fingerprint tracking system for the Department of Justice, and even fixed some bugs in the Veteran Affairs medical treatment reporting system. So after some thought and testing I believe figured out what is wrong with the website and probably how to fix it.
TECHNICAL DETAILS AVAILABLE TO PROPER AUTHORITIES
When I figured this out my mother was able to log into her own account and see all of her own data. We closely checked all her data and found some errors. That might be related to this bug or it could be from another. This wasn’t the only bug I found on www.Medicare.gov so I suspect there are others.
What I don’t know is if someone else is seeing my mother’s data? I know that Marjorie has been locked out of her account because her password was changed. How many other people had this happen?
We are worried about contacting Marjorie for fear of causing being accused of wrong doing. But we also are worried that records are being corrupted and exposed to unauthorized people.
Since we already called Medicare to report the problem and were ignored I’m publishing this to the world in hopes it will be fixed. I am concerned that the people who wrote the software will not fix it properly and other people will still be able to access accounts.