Social Security Exposes PII of 36,000IG: Breach Occurred Between May 2007 and April 2010
In a summary of the audit, the IG said Social Security sold the information in its Death Master File that erroneously contained information about living people. The Death Master File is a database that contains information about persons who had Social Security numbers and whose deaths were reported to the Social Security Administration.
According to the IG, Social Security implemented procedures to report erroneous death entry-related personally identifiable information breaches to the United States Computer Emergency Readiness Team each week. The agency also hired a contractor to provide continuing reviews of Death Master File exposures related to 26,930 individuals whose PII SSA inadvertently unveiled from July 2006 through January 2009. The IG said the contractor evaluated available data for anomalous patterns that could identify organized misuse. Social Security informed the IG that the contractor has identified no organized misuse.
The IG said Social Security failed to implement a risk-based approach for distributing Death Master File information, attempt to limit the amount of information included on the Death Master File version sold to the public, or explore alternatives to inclusion of individuals' full Social Security numbers. The agency continued to publish the Death Master File with the knowledge its contents included the personally identifiable information of living number holders.
From May 2007 through April 2010, Social Security publication of the Death Master File resulted in the breach of personally identifiable information for as many as 36,657 additional living individuals erroneously listed as deceased on the Death Master file, the IG said, exposing these individuals' Social Security numbers; first, middle and last names; dates of birth; and state and ZIP codes of last known residences available to users of the Death Master File before learning they were not actually deceased.
The IG said Social Security should take additional precautions to limit the number of reporting errors and the amount, and it made two recommendations, which the agency rejected. No explanation was given why the agency rejected the recommendations; an inquiry has been made to the Social Security Administration, and we'll publish its reply if and when it's made.
Saying its report contains restricted information for official use, the IG distributed the full audit only to authorized officials, and did not state what were the recommendations in its summary publication.