in Follow-Up, Meddling, Rant

Dependent Verification Services are still a bad idea

If there’s one thing the handful of longtime MT.Net readers know it’s that there’s never been a dead horse that I didn’t love to beat! In this case, I’m returning again to the topic of dependent verification services such as those offered by AON Hewitt. My employer is changing health plans and as a part of the transition employees are being asked to go through the dependent verification process.

This is my second go-round with this process and it makes as little sense the second time around as it did the first. The verification firms tout fraud rates of up to 15% as justification for employers to hire the firm. Some research I’ve found online suggests that verification process costs the employer about $21 per employee.

Employers take note: the cost to your employees should also taken to account. The verification process is an anxiety-ridden exercise that does not engender trust in one’s employer. Under threat of terminating their health benefits, you are asking your employees to gather their sensitive and confidential personal documents and scan, fax, or mail them to a third party: the verification service.

There is no guarantee that this verification service will safeguard your information. Indeed, there is precious little publicly available from AON Hewitt regarding how it will safeguard your private information. AON Hewitt’s privacy policy (as seen ion their website) makes no mention of how it handles this information. Interestingly, AON Hewitt’s policy claims it does not knowingly collect information from children. It just does collects information about children, like their birth certificates.

I have searched the Internet and nowhere do I see any privacy policy posted directly by AON Hewitt regarding how the company handles the sensitive information it collects. There is an AON Hewitt privacy policy posted on the City of Seattle website [PDF]/a> and one apparently from the City of New York [PDF]. This one at Penn State claims AON Hewitt destroyed physical records after they are verified. Notably, it carves out an exception about the electronic records it receives:

Physical records that are mailed to Aon Hewitt are destroyed onsite in their secured facility. Digital information will remain on their system due to the ongoing process for new hires and qualifying events that begins January 1, 2013.

Note also that there is no apparent end-date to this electronic storage. There is no pledge from AON Hewitt to erase all digital copies of your information once the verification process is complete.

The other interesting thing here is this statement:

Aon Hewitt’s Dependent Verification Solutions system has never had a security breach, nor have they experienced any instances of identity theft during their course of business.

I believe this statement is either outdated or misleading. While AON Hewitt’s Dependent Verification Solutions may not have had a security breach, news reports suggest that AON Hewitt itself did have a security breach in June of 2013, and perhaps more than one breach. From the databreaches.net website:

The Bank of Tokyo-Mitsubishi recently notified some employees that their names and Social Security numbers had been erroneously emailed by their vendor AON Hewitt to another client of AON Hewitt. The email error occurred on August 2 and employees were notified on September 3. Although the risk analysis indicated a very low risk of misuse, the bank required AON Hewitt to offer those affected free credit monitoring services for one year.

This story ran in the Boston Globe:

Federal prosecutors in New Jersey have provided new details on how an international cybercrime ring broken up this week accessed some customer accounts at more than a dozen leading financial institutions and payroll services.

According to an amended complaint filed Thursday, the hackers used a number of unlawful means to obtain customer log-ins information to steal millions of dollars.

The government says no wider data breaches are alleged to have occurred.

[…]

Customer accounts were targeted at Aon Hewitt, Automated Data Processing Inc., Citibank, E-Trade, Electronic Payments Inc., Fundtech Holdings LLC, iPayment Inc., JPMorgan Chase Bank, Nordstrom Bank, PayPal, TD Ameritrade, TIAA-CREF, USAA, Veracity Payment Solutions Inc. and the payroll arm of the Department of Defense.

This news story is written in the vague terms that seem common to security breach announcements from financial firms. Financial firms shy away from security breach publicity as it makes their customers nerves. Well rightly so, I say! Their customers should be nervous about how their data is being protected (or not, as the case may be).

This Los Angeles times says that AON Hewitt was compromised:

The other compromised banks and financial services providers were Aon Hewitt, Automated Data Processing Inc., Electronic Payments Inc., Fundtech Holdings, iPayment Inc., Nordstrom Bank, PayPal, TD Ameritrade Corp., the U.S. Defense Department’s Defense Finance and Accounting Service, TIAA-CREF, USAA and Veracity Payment Solutions Inc.

The Justice Department’s criminal complaint seems only to say that AON Hewitt was targeted. Fair enough.

The truth is that there are serious downsides to asking your employees to run this gauntlet. There are also few privacy protections that appear to be in place that might safeguard their personal information. The burden of gathering these records falls on the employee which includes time and fees. The threat of losing one’s healthcare coverage cause extreme anxiety. Also, what recourse do your employees have should their private information be mishandled?

Employers should ask themselves: do you really want to tell their employees you think they’re dishonest? And if your employees actually are dishonest, don’t you have bigger issues than your healthcare costs?