The third bombshell had better be the charm.

Wisconsin residents were just beginning to calm down after the tax form fiasco that left many of their Social Security numbers exposed in the mail. In the past couple of weeks, three new foul-ups were reported.

First it was revealed that Medicaid case numbers, all but one digit based on a person's Social Security number, appeared on informational packets. Then some northern Wisconsin taxpayers' numbers were visible through the clear pane on envelopes containing tax forms. Finally, the ID numbers of University of Wisconsin-Madison staff who bought from a campus computer shop sat online for a year or more.

The administration of Gov. Jim Doyle pinned the blame for the Medicaid mistake on the contractor that sent out the labeled booklets on behalf of the Health and Family Services department. Officials won't find any scapegoats for the other errors. Those culprits are in-house.

As usual, affected residents will receive free credit monitoring to fend off identity theft. That's a start, but it's time for state government to stop reacting and begin acting. We agree with Rep. Marlin Schneider (D-Wisconsin Rapids) that rolling a few heads will not solve the problem. The hole in the armor is much bigger than that.

Doyle brought on privacy protection specialist Metavante to audit the state's safekeeping of private information. We hope that review brings substantive changes and not just extra exposure to a company whose employees have been faithful donors to the governor.

The question is how the state got so far behind the curve. Consumers, for example, have for years received receipts and statements that "X" out all but a small section of their credit card numbers.

It doesn't take an extensive study by an auditor to introduce some of the most critical fixes. While most states use random numbers to identify Medicaid patients, with no connection to Social Security numbers, Wisconsin remains the exception.

EDS, the contractor that made the label error, is in the process of changing that. However, it doesn't plan to have its computers updated until October.

Doyle should make sure that project moves to the head of the line so the switch can be accelerated. The change is already a couple of years overdue.

Some state-mandated training is in order, as well, for employees - both public and private - who deal with Wisconsinites' sensitive information. Contractors like EDS have proven attentive to the potential for identity theft only after problems arise.

Attorney General J.B. Van Hollen is also looking into the possibility of legal action. The state should make sure firms receive the message that mix-ups will greatly endanger their chances for future jobs. If that's not enough incentive to pre-empt problems, the Legislature should also put it in writing that a contractor found to be at fault must cover any losses from a resulting identity theft.

Better that a business or agency takes a brief beating for its carelessness than an ordinary citizen takes a lengthy one for simply being unlucky.