An Office of Personnel Management contractor last October accidentally mailed postcards to about 3,000 federal retirees on which their Social Security numbers were printed, according to an inspector general report released Wednesday.

Vangent Inc. sent the postcards to retirees who had suspended their Federal Employees Health Benefits Program enrollment to inform them of their eligibility to re-enroll during the upcoming open season. But last summer, multiple errors occurred as OPM and Vangent tried to prepare the database of retirees who needed to receive postcards, according to the IG audit.

The edits to that database were treated as emergency changes, which meant the multiple levels of approval and testing usually required were skipped, the audit said. At one point, Vangent realized the file contained Social Security numbers that should not have been there and tried to remove them. But the original database containing the numbers was never deleted, and the postcards were printed with the numbers the week of Oct. 24.

OPM realized what had happened Oct. 29 and began trying to recover them. Because of other errors in the data files, the postcards were mailed to government agencies — and not to the retirees, as intended — in 150-card stacks. The IG report said that all but 650 postcards were found at those agencies.

The IG also said that the only exposed Social Security numbers were those on the top cards of each stack, although it could not determine how many people had access to the stacks as they proceeded through the printing and mailing process.

OPM has offered free credit monitoring to those 650 retirees, but the IG said it should offer all affected retirees free credit monitoring, since it cannot know how many people saw the postcards before they were recovered.

The IG also said OPM's Office of the Chief Information Officer needs to improve its change management procedures so emergency changes require management approval before being placed into production, and that OPM's Retirement Services division should set up a reconciliation process with Vangent to ensure data files passed between the two organizations have the right amount of data.

The audit also criticizes OPM's Chief Information Officer and Retirement Services offices for taking four days to report the breach to the agency's situation room. OPM requires employees and contractors to report any breach of personally identifiable information within 30 minutes, no matter the time or day of the week. The audit said this suggests OPM employees aren't fully aware of those requirements, and recommended better training on the subject.

OPM did not respond to Federal Times requests for more information. General Dynamics, Vangent's parent company, said it was reviewing the report and had no immediate comment.