The Social Security Administration inadvertently compromised the personal information of more than 20,000 people by listing them in the Death Master File (DMF) while they were still alive, the agency's inspector general has determined.

The IG's analysis dates to January 2004. Since then, SSA has made the live people's Social Security number, full name, date of birth, and state and ZIP code of last known residence available to users of the database, the IG found.

After learning that those people were not deceased, SSA deleted the information, which limited its spread. However, that had no effect on the information previously made available to DMF subscribers.

The IG's investigators found some instances where the personal information was available for free viewing on the Internet, according to a June 4 IG report.

SSA provides the data to the Commerce Department's National Technical Information Service (NTIS), which in turn sells it to customers. Customers include the government, investigative businesses, financial and credit reporting firms, and geneaology researchers. Some, including prominent geneaology Web sites, post some or all of the information online for their users.

To prevent a repeat of the situation, the IG's  recommendations include:

• Implementing a risk-based approach for distribution of DMF information. One suggestion: Have NTIS delay release of updates to public customers for one year to give SSA ample time to correct erroneous entires.
• Limiting information included in the data sold to public customers.
• Starting required breach notification evaluation procedures.
• Providing appropriate notification to living individuals whose information was released in error.