According to an IG report summary, SSA’s publication of the personally identifiable information of living people on the death master file occurred from May 2007 to April 2010.
This occurred despite IG warning the agency to implement procedures to report erroneous death entry-related data breaches to US-CERT each week, and the agency hiring a contractor to provide ongoing reviews of the death master file exposure.
“However, SSA did not implement a risk-based approach for distributing DMF information, attempt to limit the amount of information included on the DMF version sold to the public, or explore alternatives to inclusion of individuals’ full social security number. SSA continued to publish the DMF with the knowledge its contents included the [personally identifiable information] of living number holders”, the report said.
In response to this finding, the IG gave a slap on the hand to the agency. “We believe SSA should take additional precautions to limit the number of reporting errors and the amount of personal information published in the DMF – particularly the version sold to the public”, the report said.
The IG said it proposed two recommendations for corrective action, and the agency disagreed with both recommendations. However, the IG did not disclose the recommendations or the full report.