Tuesday, October 9, 2007

SSN: when a unique ID isn't.

As regular readers know, I work in higher education. I switched employers earlier this year, and recently discovered that the switch led to some interesting issues with insurance. The description below is the best fit to what appears to have happened, however it is written with no inside technical confirmation.

The sequence appears to be:

  1. End employment at former employer A, with insurance provided by insurance company X.
  2. Start employment with new employer B, employer B also uses insurance company X.
  3. Employer B insurance starts, and is identified by SSN to company X.
  4. Employer A carries my insurance through for a few weeks, then sends notice to the same insurer to terminate insurance for my SSN.
This led to my insurance being invalid, despite my current employer - B, believing that it was active. It also points to some interesting flaws behind the scenes.
  • A trusted entity can end insurance for a given SSN.
  • A trusted entity can declare themselves authoritative or is by default authoritative for a given SSN.
  • Crossovers are not flagged for activity - if employer A makes a change, then employer B makes a change, then A makes a change, this is not caught and investigated.
  • There is no regular feed that updates this information.
  • SSNs are used as unique IDs for the insurance - and even if you select a non-SSN ID (which the insurer offers) they appear to still be the primary key for your account.

No comments: