The IRS Illegally Disclosed 42,695 Taxpayer Addresses to ICE Due to a Critically Flawed Verification Process

A federal judge has determined that the Internal Revenue Service (IRS) violated federal law a staggering 42,695 times by improperly disclosing confidential taxpayer addresses to Immigration and Customs Enforcement (ICE) last summer. This revelation, first reported by The Washington Post, exposes a severe breakdown in data security protocols and raises significant questions about the government’s commitment to protecting sensitive taxpayer information. The sheer volume of violations, while alarming, is compounded by the deeply concerning details of how this massive data breach occurred, revealing a verification process so fundamentally flawed that it bordered on negligent.

Background of the Data Sharing Agreement

The arrangement that led to these violations stemmed from a broader initiative to enhance inter-agency cooperation in immigration enforcement. In an effort to identify individuals residing in the United States, including those with criminal records, ICE sought access to various government databases. The IRS, possessing a wealth of personal information, including taxpayer addresses, became a target for data sharing. However, federal law imposes strict safeguards on the disclosure of taxpayer information to prevent its misuse for broad investigative purposes without specific probable cause or identification.

Specifically, the law mandates that before the IRS can release a taxpayer’s home address to another government agency, the requesting agency must provide both the name and the precise address of the individual being sought. This requirement is designed to prevent agencies from using tax records as a generalized "fishing expedition" against individuals who have not been specifically identified and targeted for investigation. The intent is to ensure that such disclosures are targeted and based on a legitimate, identified need, rather than a broad sweep of personal data.

The Genesis of the Violations: A Flawed Verification System

The crux of the issue, as detailed in the findings of U.S. District Judge Colleen Kollar-Kotelly, lies in the IRS’s internal verification process when ICE submitted its requests. ICE provided a substantial dataset containing approximately 1.28 million records. The IRS employed two distinct matching processes to handle these requests.

For requests where ICE included a Social Security number (SSN), the IRS utilized a system referred to as "TIN Matching." This process was intended to verify that the provided name and SSN matched existing IRS records. However, critically, the TIN Matching system did not incorporate any mechanism to confirm the accuracy or even the existence of a provided address. The only address-related validation was an automated filter that checked if the designated "address" field contained something that resembled a zip code. This meant that any sequence of five or nine digits would be considered sufficient, irrespective of whether it corresponded to a valid street address.

As Judge Kollar-Kotelly astutely observed in her ruling, "A zip code is not an address, and a zip code proxy, as the IRS would define it, might as well be a set of random numbers. For instance, ICE could have submitted a request with an ‘address’ like, ‘Don’t Care 12345,’ or, ‘00000,’ and still received a taxpayer’s address through the IRS’s TIN Matching process." This statement highlights the profound inadequacy of the safeguard, which was essentially reduced to checking for the presence of any numerical string in the address field.

This deeply flawed process was the backbone of the vast majority of the disclosures. Out of the 47,289 taxpayer addresses that the IRS ultimately shared with ICE, an overwhelming 90.3%, or 42,695 instances, were processed through the TIN Matching system. This means that these disclosures bypassed any meaningful address verification. Only a meager 9.7% of the disclosed addresses were subjected to a process that actually bothered to confirm that ICE had provided a matching address.

The Scope of Deficient Data Submissions

The IRS’s Chief Risk and Control Officer, Dottie Romo, filed a supplemental declaration admitting that the agency "may have supplied last known addresses to ICE" in instances where the data was "either incomplete or insufficiently populated." However, the judge’s opinion provides a far more damning and detailed account of the nature of the "addresses" submitted by ICE.

The ruling cataloged numerous examples of what ICE presented as addresses, many of which were demonstrably deficient. This included disclosures where ICE’s request for confidential taxpayer address information failed to meet statutory requirements, leading to the release of sensitive data when ICE’s submissions were "patently deficient." For instance, the IRS disclosed addresses in situations where ICE provided text in the address field indicating that the address was incomplete, such as "Failed to Provide," "Unknown Address," or "NA NA."

Furthermore, the IRS also released taxpayer addresses when the ICE-supplied address was missing essential components, such as a street name or street number. In other instances, the disclosed addresses pertained to taxpayers whose ICE-supplied "addresses" referred to specific locations like "jails, detention facilities, or prisons." While the city, state, and zip code for these facilities might have been provided, the actual street names and numbers of these buildings or facilities were absent, rendering them incomplete and potentially misleading as a sole identifier.

The fact that the TIN Matching process was not designed to identify these types of data insufficiencies, as the judge noted, is a critical indictment of the system. The process, by its very nature, did not scrutinize the address field in any meaningful way, rendering it incapable of detecting such blatant errors or omissions.

Reactions and Precedents

Nina Olson, the founder of the Center for Taxpayer Rights, the organization that brought the lawsuit, expressed her dismay to The Washington Post, stating, "I don’t know of any opinion about the IRS like this. The kinds of mass requests that are coming in are unprecedented." Her statement underscores the novel and alarming nature of this case, suggesting a departure from established norms of government data handling and taxpayer privacy.

A Disturbing Timeline of Events

Adding to the gravity of the situation is the timeline of events that transpired after the government became aware of the data breach. The Department of the Treasury identified the issues with the data sharing on January 23, 2026. On that very same day, the Treasury Department notified DHS. Coincidentally, on that same day, the sole ICE official who had access to the illegally disclosed taxpayer data granted access to two additional ICE officials. The stated justification for this action was "for the purpose of allowing [them] to create an adequate system of safeguards for the data."

This move is particularly troubling as it occurred on the same day the agency learned that the data had been obtained in violation of federal law. Instead of halting access or immediately rectifying the situation, the initial response was to expand access to the compromised data, ostensibly to improve security measures.

The government’s disclosure of these 42,695 violations to the court and the plaintiffs did not occur until nearly three weeks later, on February 11, 2026. As the judge pointed out, "Defendants informed DHS right away, but they waited nearly three weeks to inform Plaintiffs and the Court." The judge further observed that this delay, coupled with the broader pattern of flawed procedures, "undercut many representations made by Defendants during this litigation" and reflected, "at the very least, a disconnect between the agency clients and counsel, which leads to some concern regarding the completeness of the administrative record." The judge’s understated characterization of "some concern" implies a significant understatement of the perceived issues.

Ongoing Legal Battles and Broader Implications

The case has now moved to the DC Circuit Court of Appeals, where the government is appealing Judge Kollar-Kotelly’s earlier order that blocked the data-sharing arrangement. In its defense of the program, DHS maintains that information sharing across agencies is "essential to identify who is in our country, including violent criminals." This standard defense, however, rings hollow in light of the agency’s demonstrated failure to implement even the most basic verification procedures, including accepting requests with "NA NA" in place of an address.

The formal documentation by a federal judge that the IRS broke federal taxpayer confidentiality law tens of thousands of times, utilizing a verification process so weak that nonsensical entries would have been accepted, is a profound indictment. The subsequent actions of the government—expanding access to illegally obtained data and delaying notification to the court—further exacerbate concerns about accountability and transparency. Despite these revelations, the government continues to advocate for the continuation of the underlying program, a stance that appears increasingly difficult to justify given the demonstrable risks to taxpayer privacy.

The implications of this case extend beyond the immediate legal proceedings. It raises critical questions about the adequacy of current data protection regulations, the oversight mechanisms governing inter-agency data sharing, and the potential for future breaches of sensitive personal information. The case serves as a stark reminder that even the most fundamental safeguards can be eroded by inadequate implementation and a lack of rigorous oversight, potentially compromising the privacy and security of millions of citizens.