After more than 10 years of warnings by government investigators, the Centers for Medicare & Medicaid Services now has a mandate to remove Social Security numbers from enrollees’ cards — a practice identified as one of the top personal financial threats seniors face today.

CMS states at the top of its own website, “Identity theft is a serious crime that happens when someone uses your personal information without your consent to commit fraud or other crimes.”

The new requirement came embedded in a major Medicare payment reform bill signed into law last week. CMS will have four years to begin issuing new Social Security cards without the numbers, and up to eight years to issue replacement cards to more than 50 million existing enrollees. The $320 million conversion cost will be paid from Medicare trust funds.

Social Security numbers on the Medicare cards will be replaced by a randomly generated identifier, officials say.

The decision comes after an inexplicable decade-long delay in heeding Office of Inspector General warnings that including the numbers on government benefit cards places tens of millions of seniors at risk of identity theft, according to The New York Times. Seven years ago, the Defense Department and the Department of Veterans Affairs started executing “elaborate plans to remove Social Security numbers from their identification cards,” the newspaper reported Monday.

The impetus for Medicare requiring the change is twofold: a current rash of data hacks and the push to implement electronic health records.

CMS told the Times the bulk of its resources the past two years was being used to repair, the website established under the Affordability Care Act.