Skip to content
GET E-NEWS UPDATES
  1. News
  2. Press Releases

Baldwin Demands Answers from Social Security Administration on Musk and DOGE’s Access to Personal Information

Reports indicate DOGE has access to Social Security’s data center, which includes Americans’ bank and credit card information, work history, tax data, medical records, home address, children’s names, and more

WASHINGTON, D.C. – U.S. Senator Tammy Baldwin (D-WI) and a group of her colleagues demanded answers from the Social Security Administration regarding the recent turmoil at the agency as Elon Musk and his so-called Department of Government Efficiency (DOGE) embed themselves and gain access to Wisconsinites most sensitive personal information.

“Providing access to personally identifiable information on hundreds of millions of Americans stored by SSA to DOGE employees without a legitimate reason, and in apparent disregard for privacy laws, regulations, and procedures, raises serious concerns about the security of that data and what DOGE plans to do with it,” wrote Baldwin and the lawmakers.

The letter seeks answers from Acting Commissioner Leland Dudek about DOGE’s activities at SSA, including:

  • Whether the Acting Commissioner has disclosed any sensitive personal or financial information to any unauthorized persons outside SSA.
  • Whether DOGE has requested or received access to any SSA system that is used in determining eligibility or benefit amount of Social Security or SSI benefits.
  • Whether DOGE has gained access to SSA databases that include personally identifiable information, wage or tax information, or personal health information.
  • Whether any private or commercial servers been connected or integrated into SSA data systems to review, edit, modify, access, delete, move or otherwise change data.
  • What steps are being taken to prevent DOGE from stopping lawful benefit payments or utilizing personally identifiable information for political purposes.

Earlier this month, Senator Baldwin called on Veterans Affairs (VA) Secretary Doug Collins to take immediate actions to secure veterans’ personal information provided by the VA or other agencies from Elon Musk and DOGE.

A full version of this letter is available here and below.

Acting Commissioner Dudek: 

We write to express deep concern regarding disturbing reports that the President replaced Social Security Administration (SSA) Acting Commissioner Michelle King for refusing to provide Elon Musk and the so-called “Department of Government Efficiency” (DOGE) access to the agency’s most sensitive data without proper documentation, and that you have provided DOGE unfettered access.

As the central hub for Americans’ most sensitive personal and financial information, and the nation’s largest benefit-paying agency, DOGE’s actions--in seeking access to this information-represent a two-front invasion on Americans’ financial security and privacy.  In response to earlier media reports detailing DOGE’s efforts to access SSA systems, Senator Wyden demanded information from then-Acting Commissioner King to verify these reports and to understand what steps she has taken to protect Americans’ privacy.  In her February 11 response, she wrote that no one affiliated with DOGE had “requested nor received access to the agency’s programmatic systems.”  Further, she stressed that employee access to SSA’s systems is limited to the least privileges necessary to complete job duties, and its systems are continuously monitored to identify suspicious behaviors.

Stringent privacy laws, regulations, and administrative procedures are in place to protect American’s data, including personally identifiable information, stored and used for legitimate purposes by government agencies. Maybe nowhere is that more important than SSA. For example, the Privacy Act of 1974, as amended (5 U.S.C. 552a, Public Law 93-579), protects Americans against an unwarranted invasion of their privacy related to the disclosure of their personal information. And, in so doing, it requires each federal agency to publish in the Federal Register information related to how and why it is accessing a specific system of records—data that are collected, maintained, used, or disseminated that contain personally identifiable information. To date, no justification has been published related to DOGE actions at SSA or otherwise.  Providing access to personally identifiable information on hundreds of millions of Americans stored by SSA to DOGE employees without a legitimate reason, and in apparent disregard for privacy laws, regulations, and procedures, raises serious concerns about the security of that data and what DOGE plans to do with it.

We are also concerned that DOGE’s access to these systems has been provided under false pretenses claiming rampant fraud to cut benefits to Americans.  Over the past weekend, Elon Musk repeatedly posted and reposted a false claim that millions of individuals over age 150 are receiving Social Security benefits.  These claims are so easily disproven, and have been repeatedly, that this cannot be a justifiable reason to need complete access to all data housed at SSA.  A simple internet search would show U.S. Census data estimating approximately 80,000 Americans over age 100 living in the United States today, and SSA’s own data shows that roughly 53,000 Americans over age 100 receive Social Security benefits in December 2023. As you know, SSA’s Office of Inspector General (OIG) published an audit in 2023 which found that of the 18.9 million individuals over age 100 that did not have death information reported to SSA, almost none currently receive benefit payments or have reported earnings in the past 50 years.  In the same audit, SSA noted that combing through the agency’s records to update the information of these individuals would cost up to $9.7 million, with little benefit to SSA’s administration of the programs. 

As you know, the information collected and housed at the agency could have significant commercial value, as well as competitive advantage for individuals seeking to use it for financial gain. Likewise, it could be misappropriated to target American citizens and businesses for political or exploitative means. This includes Americans’ Social Security Numbers; bank and credit card information; birth and marriage certificates; pension information; home and work addresses; school records; citizenship status; immigration or naturalization records; IRS earnings records; health care providers’ contact information; family court records; employment and employer records; psychological or psychiatric health records; hospitalization records; addiction treatment; and test for or records of HIV/AIDS. These records are handled by career civil servants under stringent federal and state privacy laws and regulations to protect Americans’ health and financial information.

As you well know, SSA employs sophisticated systems, processes, and controls to ensure that benefits are paid the correct amount to the correct person. SSA has made great strides in improving its program integrity systems to reduce improper payments and to prevent instances of waste, fraud, or abuse.  While we agree that more can always be done to improve SSA’s process, Musk and DOGE do not appear to be interested in improving the system for Americans.  Rather than working collaboratively with the agency to understand and improve its existing systems, Musk and DOGE have been keener on publicizing misleading or blatantly inaccurate information about Social Security. This raises questions on whether their pursuit of combatting waste, fraud, and abuse is purely performative rather than sincere.

Moreover, the President’s decision to replace a career SSA official with over three decades of agency experience with an employee with no executive experience will likely trigger a cascade of departures of experienced agency personnel, as former Commissioner O’Malley warned. At a time when the agency’s workforce is at a 50-year low, the potential loss of centuries’ worth of agency experience will risk worsening backlogs, longer wait times, and interruption of benefit payments.  When combined with SSA providing inexperienced individuals unfettered access to the agency’s sensitive systems, there is a profound risk of causing irreparable harm to the agency’s systems and Americans’ financial security.

Finally, we are also concerned of reports that prior to your appointment as Acting Commissioner, you were placed on administrative leave pending an investigation into you sharing sensitive documents with individuals not authorized to access such information, and for harassing and threatening fellow SSA employees to work with DOGE. If accurate, your actions demonstrate a betrayal of trust and your oath of office and may violate federal privacy laws.

For this reason, we request that you respond to the following questions no later than February 25, 2025:

  1. Have you disclosed any personally identifiable information (PII), protected health information (PHI), federal tax information (FTI), or other sensitive personal and financial information in any SSA data systems to:
    1. Any SSA personnel or SSA contractors who lacked the appropriate statutory authority to access such information;
    2. Non-SSA federal employees;
    3. Non-SSA federal contractors;
    4. Special Government Employees (SGEs); or
    5. Any other unauthorized persons?
  1. Has DOGE, or any individuals or entities operating under the guise of or direction of DOGE (including such individuals who may have been onboarded to the Agency and received an Agency or Departmental email address) requested or received access to any SSA system that is used in determining eligibility or benefit amount of Social Security or SSI benefits?
    1. If so, who granted such access, to which systems, and for what specific purposes? Please name each system and provide the names of individuals who have been given access to such system.
    2. Under what legal authority did SSA grant such access? Please provide a detailed description of this authority and copies of all communication between individuals associated with the “Department of Government Efficiency” and SSA systems.
    3. For each individual who has been given access to SSA data systems since January 20, 2025, please provide information on:
      1. The agency to which each such individual has been onboarded (or working as a contractor for) and whether an individual who may have been onboarded to a different agency has been given an SSA email address;
      2. Which federal forms each such individual completed relating to background checks (i.e. SF-85, SF-85P, SF 85PS, SF-86);
      3. Whether the Federal Bureau of Investigation (FBI) completed a background check for each such individual;
      4. Whether the individuals have used their data access privileges consistent with any restrictions based on their respective security clearance levels;
      5. What trainings on security, health information privacy, cybersecurity, financial, fraud, or other trainings required of SSA or their contractors these individuals have undertaken and when.
    4. Please provide a list of queries run on each such system by each user, since January 20, 2025, including dates and usernames.
    5. Please provide a thorough accounting of the information each individual reviewed, modified, accessed, deleted, or otherwise edited under such system.
    6. For any information that has been modified, edited, or deleted, please provide an accounting of the variables, entries, and the exact changes made, as well as for what purpose.
    7. Please provide details on any information from any such systems that were downloaded, copied, transferred, or otherwise removed from the Agency. Please specify which data, by what means they were downloaded or transferred, and to whom or what entity.
  1. Has DOGE, or any individuals or entities operating under the direction of DOGE gained access to SSA databases that include personally identifiable information, wage or tax information, or personal health information?
    1. If so, which data have been reviewed, modified, deleted, or otherwise edited or removed, copied, or downloaded or otherwise transferred by these individuals?
    2. Under what legal authority did SSA grant such access? Please provide a detailed description of this authority and copies of all communication between individuals or entities operating under the direction of DOGE and SSA officials related to the granting of this access.
    3. How many individuals does this affect? Have these individuals been notified that their information has been accessed and for what purposes in accordance with the requirements of the Privacy Act of 1974, as amended, and Section 1106 of the Social Security Act (42 U.S.C. 1306)? Please provide documentation.
    4. To the extent personally identifiable information were accessed since January 20, 2025, please provide the System of Record Notice included in the Federal Register reflective of this access.
  1. Have any private or commercial servers been connected or integrated into SSA data systems to review, edit, modify, access, delete, move or otherwise change data?
    1. If so, please explain the origin of such servers and provide documentation related to testing and validating controls to ensure no new vulnerabilities were introduced into SSA data systems upon use.
    2. For any data that were moved to a private or commercial server, please show how that system has been reviewed and is abiding by the National Institute of Standards and Technology (NIST) special publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
    3.  For any data that were moved to a private or commercial server, please provide detailed information related to whether any safe storage standards are being employed.
  1. Attempts to suspend federal payments have been reportedly attempted by individuals or entities operating under the direction of DOGE. We are deeply concerned that DOGE may attempt to stop lawful payments for Social Security and SSI benefit payments, deny benefits to individuals who are perceived to not support President Trump, or otherwise inflict financial harm on individuals.
    1. What steps have been taken to ensure that the data of individuals, beneficiaries, and health care providers are protected from unlawful payment suspensions or data leaks?
    2. What specific steps have been taken to ensure compliance with current laws, guidance, and regulations to ensure that the use of these data will not interfere with timely payments of Social Security and SSI benefits?
    3. What specific steps have been taken to ensure compliance with current laws, guidance, and regulations to ensure that personally identifiable information that is held on SSA systems is not being utilized for politically motivated purposes?

 

Thank you for your attention to this urgent matter. We look forward to your prompt response.

Sincerely,

An online version of this release is available here.

###

Previous
Next