Well, it's happened to me—sort of. My identity wasn't stolen, exactly—just left out in a place it didn't belong for a few days. When the Commonwealth of Massachusetts discovered its error, it tried to fix the damage and then it let me know all about it. And as far as I know, no harm has been done. Still, it leaves me with an uncomfortable feeling.
Here's what happened. Some years ago, I decided to become a licensed professional engineer. Unlike the medical and legal professions, the engineering professions generally don't require a practitioner to be licensed, except in a few cases where an engineer involved in public works such as bridges or roads has to sign off on plans for legal liability reasons. The vast majority of engineers working in private industry and academia in this country do not have to be licensed in order to hold their jobs. (The reasons for this are interesting, but a story for another day.)
Nevertheless, if you're licensed you get a pretty certificate to put on your wall, and some university engineering departments technically require their professors to be licensed professional engineers, although I've never heard of anybody losing their job over it. At the time, I was living in Massachusetts, and so I got online and found out what I had to do to become licensed.
The conventional route is a two-step process. Undergraduate engineering students can take an EIT (engineers-in-training) exam, and if they pass they become engineers in training. After five years or so of practice or the equivalent, they can take a second exam and become full-fledged licensed professional engineers. For older types like me, with a lot more than four years of experience, the Massachusetts Division of Professional Licensure had an alternative: I could put together about five pounds of documentation on my career and send it in and they'd interview me, and if they thought it was enough, they would license me after that. So that was the course I adopted, and in due course I received Electrical Engineering License No. 40940.
That number is part of the public record, which, as it turns out, the Division sends out regularly in the form of computer disks when it receives requests for lists of professional engineers of various types. This is how I get all kinds of junk mail from companies selling engineering-related products, I suppose, but I don't mind that aspect of the situation too much. What I mind a little more is what prompted the letter I received from the Division last week.
For four days last September, some disks they sent out in response to requests for licensees' names and addresses also accidentally included our Social Security numbers. That is NOT supposed to be a part of the public record, and commendably, the Division caught their mistake before too much damage had been done. They called all the places they'd sent the numbers to, got them to return the disks, made them sign papers saying they didn't retain any information from the disks, and so the incident is presumably closed. Just as a precaution, however, the Division told me to call one of the national credit reporting agencies and put a fraud alert on my credit report. I may get around to doing that one of these days.
As identity thefts go, this is a pretty minor case, more of a slipup than any deliberate crime. And I must say that the Division appears to have handled it in an exemplary fashion, notifying the potential victims and so on and getting the unintended recipients of the sensitive information to promise they didn't do anything fraudulent. But it gives one pause, because I have no idea who else has my Social Security number, and how careful they are being with it, and whether they've slipped up or had stuff stolen from them without even knowing about it.
This issue is shortly going to become even more important as most medical records go online in the next few years. I'm pretty sure one of the things you are always asked for in a doctor's office is your Social Security number, and that's how many medical records are indexed. Medical records have a lot of stuff in them that's even more sensitive than Social Security numbers, and I only hope that the doctors will learn from the bankers how to protect sensitive information.
The trouble is that the motivations are different. If a crook perpetrates credit-card fraud, the consumer is liable for only the first fifty dollars, and the bank or credit card company is left holding the bag for the rest. That one law has prompted the financial sector to develop one of the most secure and reliable systems of online information transfer in the world.
Doctors and healthcare providers don't have the same kind of motivation. A breach in your medical security is no skin off their nose, so to speak. So the laws will have to be written in a way that motivates the holders of sensitive information to protect it at the price of some penalty that will be greater than the cost of doing a good job of data security.
As for my little identity problem, I do believe I'll give one of those credit agencies a call. I had a very minor problem with one of them a few years ago and they fixed it with reasonable promptness, so it can't hurt to take that extra step of caution. That's an engineer for you.
Sources: More info on becoming a licensed professional engineer can be found at the website of the National Society of Professional Engineers, www.nspe.org.