Weaknesses Found in the Social Security Administration’s Handling of Personal Information Losses

The Social Security Administration’s (SSA) Office of the Inspector General (OIG) has released an audit report revealing weaknesses in the agency’s response to losses of American citizens’ personal information.

Between 2019 and 2023, SSA employees reported nearly 24,000 incidents of lost or compromised personally identifiable information (PII) through the agency’s legacy reporting tool.

OIG’s review found:

• 658 PII losses were not recorded properly • 2,568 reports were left without a risk-level assignment • Unresolved loss reports stayed open an average of nearly two years • Only 3 percent of sampled reports were referred to the OIG as required, and 27 percent that should have been referred were not.

“SSA must respond appropriately when any information that contains PII leaves SSA’s custody or is disclosed to an unauthorized party to minimize the risk of harm to the American people,” said Acting Inspector General Michelle Anderson. “SSA must ensure that every potential PII breach is promptly assessed and referred to the Office of the Inspector General, as appropriate. Anything less puts the privacy and security of the individuals SSA serves at risk.”

SSA updated its policies and procedures during the audit, but the Agency can do more. The report makes three key recommendations to SSA:

1. Review and address the 658 improperly recorded PII losses
2. Evaluate the effectiveness of the processes and controls recently implemented and implement any necessary changes
3. Update the Breach Response Plan to make referral requirements to the OIG clear

Read the full report here.

Download a PDF of the press release here.