It's a case that would seem to defy the odds many times over: Two Florida women born on the same day, in the same state, and given almost the same name. Though no one realized it at the time, it turns out they were also given the same Social Security number.
Joanna Rivera and Joannie Rivera only recently discovered the problem, according to a report this week, but in the meantime it's caused no end of trouble for them. Credit applications have been denied; tax returns have been rejected.
Identity theft might have been a likely assumption, but in this case, it was something different.
After 25 years of confusion, the Social Security Administration reportedly has admitted its mistake at last: In 1990, two Florida hospitals created the same record for two babies with similar first names, the same last name and the same date of birth, and the administration gave them both the same Social Security number.
It's not as uncommon as you might think. In fact, some 40 million SSNs are associated with multiple people, according to a 2010 study by ID Analytics.
Some, as in the Rivera case, are innocent mistakes caused by data-entry errors or bad handwriting, said Ken Meiser, vice president of identity solutions at ID Analytics.
Others are "what we call identity manipulation," whereby someone with a shaky credit history makes subtle changes to their identity so it's not connected with their history, he said.
Then, of course, there's impersonation by someone who either isn't qualified for a SSN of their own or is trying to assume a different identity for other reasons.
Cases like that of the Rivera women are "really rare," Meiser said. Nevertheless, "the question becomes, how do you build algorithms or recognize who is the legitimate owner of that SSN?"
Except in rare circumstances, the SSA is prohibited from trying to do that kind of verification, he said. So, it's generally up to companies like ID Analytics or credit bureaus to serve that purpose.
"If you're one of the folks who has had that duplication, it creates issues," Meiser said. "It's a really interesting challenge for everybody involved."
In hindsight, the fact that two individuals were simultaneously asserting similar credentials but not living in exactly the same place might have been a tip-off, he said. "Both address A and address B were in play," he said. "It probably should have triggered at least some concern."
Also notable is the fact that the Internal Revenue Service didn't raise a flag, since it presumably was getting W-2 forms from two different employers for somebody who was apparently holding two jobs but didn't live in the same place, he said.
“When designing software, developers try to take into account all of the possible scenarios," said Travis Smith, a security analyst with Tripwire. "However, humans are fallible," and that can trip up otherwise well-designed software.
In any case, it's an illustration of why it's important for consumers to use due diligence. They can do it with free credit reports or identity protection services such as LifeLock, which is the parent company of ID Analytics.
"You should be reviewing those reports to see if there's activity associated with your identity that you don't recognize," he said. "Either of these women could probably have seen the problem earlier if they had been doing that."
The Social Security Administration did not immediately respond to a request for comment.