Andrew Langer was pretty sure his daughter was on the wrong website when she tried to apply for new credentials to access Tricare, the military health program, from her home near Fort Eustis, Virginia.
As part of the online validation process for the Defense Department's MHS Genesis electronic health records system, Langer's daughter was told she would need to furnish the last eight digits of a credit card and undergo a "soft" credit check to gain access.
Sensing something amiss, she called her parents.
Read Next: Navy Reservist Who Was at Jan. 6 Riot Gets 3 Years on Gun Charges
"I'm normally so patient with my daughter but, quite honestly, I got very impatient because I thought this was phishing. ... I was like, 'Get off there. This is not right -- you don't need a credit card,'" Langer said.
Turns out, she did, as does anyone who must enroll in MHS Genesis or wants a new DoD credential, known as a DS Logon, to access the military pay system or their medical records.
It appears that the new requirement went into effect DoD and Veterans Affairs-wide within the past five months. For some, like Langer, it is an unwelcome change.
"It's a very simple yet privacy-invading way of trying to do identity verification," Langer said during an interview with Military.com. "Career civil servants tend to make these decisions without any sort of regard to the greater public policy implications -- the privacy issues, the disparate impact on folks who are struggling -- the idea that someone in their health care may know they have credit issues or are struggling financially."
The DoD Self-Service Logon, or DS Logon, is a digital credential used by military personnel and beneficiaries to access pay records, health services and other DoD administrative applications.
Once reserved for DoD beneficiaries only, the credential is now the standard for veterans, allowing them to check on the status of their Department of Veterans Affairs disability claims, health benefits applications, and other VA-related services.
According to Navy Cmdr. Nicole Schwegman, a DoD spokeswoman, users who apply for a DS Logon remotely must have their identity authenticated. The soft credit check is one way to verify the user, she said.
"The [Remote Identity Proofing] service is provided by a 3rdparty vendor and uses a variety of techniques to verify an individual's identity which involves data obtained through a soft credit check," Schwegman said in an email to Military.com. "These 'soft credit checks' do not impact a person's credit score."
She added that DS Logon has performed soft credit checks on individuals for more than eight years, although she admitted that neither she nor any of the military personnel in her office were aware of the requirement until asked about it by Military.com.
Users may just be noticing the new requirement as the Defense Department adopts the new Oracle Cerner MHS Genesis electronic health record system department-wide. When patients apply to access the new program, they are asked to provide a photo of their driver's license or another approved identification card and a credit card or a loan document to verify their ID.
Schwegman said that those who object to the credit check can use a Common Access Card to obtain a DS Logon or, if they don't have a CAC, can go to a DoD ID card facility and get their identity verified in person.
"Use of the remote identity proofing service is not a requirement for DS Logon issuance, but for some it is the most convenient option available," Schwegman said.
Langer, who is chairman of the Institute for Regulatory Analysis and Engagement, a nonprofit organization focused on the federal regulations and the administrative state, doesn't think that DoD beneficiaries should trade privacy for convenience.
He has written to the Defense Health Agency and reached out to two members of Congress to get answers on the new requirement, trying to find out who made the decision, why, and whether the DoD went through the proper regulatory process to enact it.
"I find no reference to it anywhere," Langer said. "I've gone down the rabbit hole trying to figure out who is responsible. … My suspicion is that the justification they will lay out is because they are trying to do this across platforms for DoD dependents, VA, DoD employees. I guess they are trying to standardize it. It still doesn't justify why."
– Patricia Kime can be reached at Patricia.Kime@Military.com.
Related: VA Delays Electronic Records System Rollout Due to Reliability Issues Following Crashes