Federal Employee Data Privacy After DOGE: What You Need to Know (March 2026 Update)

Last Updated: March 17, 2026

On March 10, 2026, the Washington Post and Wired reported that a former DOGE software engineer told co-workers at his new job that he possessed two of the most sensitive databases in the federal government, the SSA NUMIDENT and the Death Master File, and had brought them to his new employer on a personal thumb drive.

The engineer, John Solly, reportedly described himself as having "God-level access" to SSA systems during his time at DOGE. He moved from DOGE to become CTO at Leidos, a defense contractor that holds a multi-billion-dollar contract with SSA to manage the very IT infrastructure he allegedly accessed. Solly and Leidos deny all allegations. The SSA Inspector General confirmed an active investigation.

This came eight months after a separate whistleblower, SSA Chief Data Officer Charles Borges, alleged DOGE had copied the NUMIDENT to an unaudited private cloud server. Borges resigned three days after filing that complaint.

For federal employees, these incidents are part of a year-long pattern. DOGE began accessing OPM personnel systems in February 2025. By late March, access extended to Treasury payroll systems covering 276,000 employees. IRS bank account data for every filer with an electronic refund was also accessed.

In March 2026, a D.C. federal court allowed a Privacy Act lawsuit by five federal employees to advance to discovery, with the judge noting the government's own admission that DOGE staffers "mishandled agency data in precisely the ways Plaintiffs feared."

Here is what happened, what it means for your data, and what to do right now.

Key Takeaways

• DOGE accessed OPM, Treasury, FPPS, SSA, and IRS systems containing federal employee PII starting February 2025. Your personnel records almost certainly passed through affected systems.
• A March 2026 whistleblower alleges former DOGE engineer John Solly copied 500 million records to a thumb drive. Solly reportedly claimed "God-level access" to SSA systems. He and Leidos deny the allegations; an SSA OIG investigation is active.
• A D.C. federal court allowed a Privacy Act lawsuit by five federal employees to advance to discovery in March 2026, the most employee-favorable ruling to date.
• If you have 2015 OPM breach IDX coverage, it expires by September 30, 2026. Check your expiration date now.
• A credit freeze at all three bureaus is free, takes about 15 minutes, and does not affect your credit score.
• Courts found Privacy Act violations but access continued due to standing requirements and appellate reversals. Act on the assumption your data was accessed.

---

What Happened: Timeline of DOGE Data Access

The access was not a hack in the traditional sense. No system was broken into by an outside attacker. DOGE personnel were granted access credentials to federal systems, often over the objections of career IT and security staff.

Date	Event
February 1-6, 2025	DOGE accesses OPM databases with PII for millions of current and former employees and job applicants
February 2025	DOGE presses IRS to share taxpayer return data; accesses Treasury Bureau of Fiscal Service including bank account info for all e-refund recipients
March 2025	SDNY court finds Privacy Act "likely violated"; issues preliminary injunction
March 2025	DOGE staff at SSA given telework agreements — the only individuals in the CIO's office with such arrangements; SSA officials could not explain who approved them
Late March 2025	DOGE accesses FPPS payroll system affecting ~276,000 employees at DOJ, Treasury, DHS after two weeks of internal resistance
June 6, 2025	Judge Denise Cote (SDNY) finds OPM "violated the law and bypassed its cybersecurity practices"; orders DOGE removed from OPM systems
June 6, 2025	Supreme Court restores DOGE access to SSA data pending further proceedings
August 2025	Fourth Circuit lifts lower court injunction (2-1, standing issue); access continues despite violation finding
August 26, 2025	SSA Chief Data Officer Charles Borges files whistleblower complaint: DOGE copied NUMIDENT to unaudited private cloud server with no independent security controls
August 29, 2025	Borges resigns three days after filing the complaint
January 2026	SSA discloses DOGE employees "secretly and improperly shared sensitive personal data in 2025" and cannot verify extent of violations
March 6, 2026	SSA OIG notifies congressional committees it is reviewing a whistleblower complaint about potential data misuse by a former DOGE employee
March 9, 2026	House Oversight Democrats send letters to SSA Commissioner Bisignano and former DOGE staffer Coristine demanding answers
March 10, 2026	Washington Post and Wired report: John Solly identified as former DOGE engineer who allegedly copied NUMIDENT and Death Master File to thumb drive
March 11, 2026	House Oversight Ranking Member Robert Garcia expands DOGE data investigation
March 12, 2026	Sen. Gary Peters (HSGAC) calls for independent investigation into DOGE SSA activities
March 2026	D.C. federal court allows Privacy Act lawsuit by five federal employees to advance to discovery
March 17, 2026	SSA OIG investigation ongoing; Solly and Leidos deny allegations; no charges filed

A critical point: federal judges found Privacy Act violations, and one ordered DOGE removed from OPM systems. But access continued because appellate courts lifted injunctions on standing grounds, and the Supreme Court restored SSA access pending further review. "Courts found violations" does not mean the access stopped.

April 2026 update: Fourth Circuit vacates the second injunction

On April 10, 2026, the Fourth Circuit vacated a separate injunction that had limited DOGE access to SSA systems. NARFE summarized the ruling on April 21. Two facts make this ruling more troubling than the August 2025 reversal:

• The government admitted to a federal court that earlier representations were "patently false." During the proceedings, the government acknowledged that DOGE staff had previously accessed SSA data improperly. The same lawyers who had told the district court the access was lawful now had to concede the prior statements were inaccurate.
• A DOGE employee shared SSA data with a political group seeking to overturn election results. This was on the public record before the Fourth Circuit ruled. The court vacated the injunction anyway, on standing grounds.

Judge King's dissent called the result "alarming" and warned that the standing analysis allowed the agency to commit acknowledged Privacy Act violations without judicial remedy. The dissent is worth reading in full if you are tracking this case.

What this means for federal employees right now:

1. The legal track is unlikely to stop the access. Two Fourth Circuit rulings in 14 months have vacated injunctions on standing. Plaintiffs need to demonstrate concrete, specific harm from the data exposure itself. That bar is high. The D.C. court's March 2026 advancement of the five-plaintiff Privacy Act case to discovery remains the most active legal channel.
2. Self-help measures matter more. Monitor your my Social Security account weekly at ssa.gov for unfamiliar address changes, banking changes, or earnings adjustments. If anything looks off, report it to SSA OIG (1-800-269-0271) and consider a Privacy Act request to identify who has accessed your records.
3. Congressional case escalation is the fastest practical lever. House Oversight Democrats and Sen. Peters are actively investigating. If you have specific evidence of misuse of your data, your representative's caseworker can route it to the active investigations rather than waiting for judicial relief.

---

Which Systems Store Your Data

Not all federal employee data sits in one place. Here is a map of the systems that hold your PII and their reported DOGE access status.

System	Operator	Data Contained	DOGE Accessed?
eOPF (Electronic Official Personnel Folder)	NFC/OPM	Full employment history, SF-50s, performance ratings, disciplinary records	Yes (OPM systems broadly, Feb 2025)
FPPS (Federal Personnel and Payroll System)	Dept. of Interior/IBC	Name, SSN, pay grade, payroll, health/life insurance enrollment	Yes (late March 2025)
GRB Platform (Government Retirement & Benefits)	DOI	Name, DOB, home address, SSN, health/life enrollment, retirement contributions, leave, tax withholding	Via FPPS/OPM integration
USA Staffing	OPM	Job applicant PII, resumes, background check initiation data	Yes (OPM systems broadly)
NFC (National Finance Center)	USDA	Payroll, salary, direct deposit info	Linked to FPPS access
e-QIP / NBIS	DCSA	SF-86 background investigation data — employment history, foreign contacts, finances, mental health disclosures	Not directly reported; 2015 breach compromised this
SSA NUMIDENT	SSA	SSN, DOB, place of birth, citizenship, ethnicity, parents' names, phone, address — for every SSN holder	Yes (two whistleblower incidents, 2025-2026)
IRS / Treasury	Treasury Bureau of Fiscal Service	Bank account info for all filers with electronic refunds, tax return data	Yes (early 2025)

If you held a security clearance, your SF-86 data is managed by DCSA (formerly NBIB), not OPM's general HR systems. No reports have confirmed direct DOGE access to e-QIP/NBIS. But the 2015 OPM breach already compromised SF-86 data for 19.7 million people, and that protection contract expires this year.

---

The Two SSA Incidents: What the Whistleblowers Alleged

Incident 1: The Vulnerable Cloud Server (August 2025)

Charles Borges, then SSA's Chief Data Officer, filed a whistleblower disclosure on August 26, 2025. He alleged that DOGE-affiliated officials copied the NUMIDENT database into a self-administered cloud environment with no independent security controls and no verified audit or oversight mechanisms. SSA officials could not verify what access controls existed or who could reach the data.

The NUMIDENT contains records for approximately 300 million living Americans. SSA denied wrongdoing. Borges resigned three days after filing the complaint.

Incident 2: The Thumb Drive (March 2026)

A new whistleblower complaint, reported March 10, 2026, alleged that former DOGE engineer John Solly told co-workers at Leidos that he "possessed two tightly restricted databases of U.S. citizens' information": the NUMIDENT and the Death Master File. Together, those two databases cover more than 500 million records.

According to the NPR account of the whistleblower complaint, Solly described himself as having "God-level access" to SSA systems during his DOGE tenure. The whistleblower alleged he was planning to use that data at Leidos.

Leidos holds a five-year, up to $1.5 billion contract with SSA to manage the very IT infrastructure Solly allegedly accessed. Solly has been Leidos's health IT CTO since October 2025.

Solly and Leidos both deny the allegations. The SSA Inspector General confirmed an active investigation on March 6, 2026. Congressional Democrats expanded their investigations the following week.

The distinction matters: what is alleged (the thumb drive) versus what is confirmed (DOGE accessed OPM, Treasury, SSA, and FPPS systems). The broader system access is documented in court filings. Treat the thumb drive allegations as unverified but active.

---

The Privacy Act Lawsuit Advancing to Discovery

In March 2026, a D.C. federal court allowed a Privacy Act lawsuit filed by five federal employees to proceed to discovery. The judge noted the government's own admission that DOGE staffers "mishandled agency data in precisely the ways Plaintiffs feared."

This is the most employee-favorable ruling to date. Earlier rulings had found Privacy Act violations but denied relief because plaintiffs lacked standing, meaning they could not prove concrete, particularized harm from the access itself.

The D.C. court accepted that federal employees suffered concrete injury. That clears the standing hurdle that sank earlier cases. It also means government records about the scope of DOGE data access may soon be compelled through discovery.

Ongoing Investigations and Legal Actions

Body	Action	Status
SSA Office of Inspector General	Investigating thumb drive whistleblower complaint	Active (confirmed March 6, 2026)
House Oversight Committee (Ranking Member Garcia)	Letters to SSA Commissioner Bisignano and former DOGE staffer Coristine; expanded investigation	Active (letters March 9, expanded March 11)
Senate HSGAC (Sen. Gary Peters)	Called for independent investigation into DOGE SSA activities	Pending (letter March 12)
D.C. Federal Court	Privacy Act lawsuit by five federal employees	Discovery underway (March 2026)
EFF Lawsuit (OPM/DOGE)	Filed February 2025	Injunction lifted August 2025; case ongoing
AFGE/SEIU Treasury suit	Against Treasury data sharing with DOGE	Summary judgment pending
AFGE/NTEU SSA suit	Against SSA data access	Supreme Court restored access June 2025; case ongoing

---

What Protections Exist: The Privacy Act

The Privacy Act of 1974 (5 U.S.C. 552a) is the primary legal protection for federal employee records. It gives you five core rights:

1. Right to access your own records in any agency system of records
2. Right to know if those records have been disclosed and to whom
3. Right to amend inaccurate, irrelevant, untimely, or incomplete records
4. No disclosure without consent: agencies cannot share your records without your written consent, subject to 12 enumerated exceptions
5. Right to sue in federal district court for unlawful disclosures (5 U.S.C. 552a(g))

Where the Law Ran Into Limits

The Privacy Act has 12 exceptions, including a "routine use" category that courts have interpreted broadly. The administration characterized DOGE access as a "routine use" for government operations. Courts are still litigating whether that interpretation is valid, and the D.C. court's March 2026 ruling accepting concrete injury is now the leading precedent for employees.

The standing problem remains. In August 2025, the Fourth Circuit lifted the main OPM injunction because plaintiffs likely could not prove concrete harm from the data access itself. A court can find that an agency "violated the law" and still deny relief if plaintiffs cannot demonstrate specific injury. The March 2026 D.C. ruling is significant precisely because it cleared this hurdle for the five plaintiff employees.

Administrative Privacy Act complaints through your agency's privacy office are your most accessible route. They create a record, they are free, and they do not require the standing proof a federal lawsuit demands.

---

Security Clearance Implications

If you hold or held a clearance, the DOGE incidents layer onto a breach that already happened. Here is why that matters.

The 2015 OPM Breach Context

The 2015 OPM breach compromised SF-86 background investigation data for 19.7 million people. The SF-86 is the most sensitive document in any federal employee's profile. It contains:

• Full employment and residential history (10 years)
• Names of family members, references, and cohabitants
• Foreign contacts and travel history
• Mental health treatment history
• Financial history (bankruptcies, delinquencies)
• Criminal history
• Biometric fingerprints (1.1 million records compromised)
• Investigator interview notes

The attack was attributed to Chinese intelligence. The risk from that breach is not credit fraud. It is social engineering and targeting. Foreign intelligence services received a complete map of who holds U.S. clearances.

How the DOGE Incidents Add to That Risk

276,000+ clearance holders at DOJ, Treasury, and DHS had their payroll and insurance enrollment data pass through FPPS, which DOGE accessed in late March 2025. That is the new layer. The old layer is the 2015 breach, which gave foreign intelligence services SF-86 files on 19.7 million people: who holds clearances, their foreign contacts, their finances, their family.

Put those together: an adversary with both sets can cross-reference who was cleared in 2015, whether they are still employed, what they currently earn, and their updated SSN and address. If the Solly allegations prove accurate, the NUMIDENT adds the third piece. No official public assessment of the combined risk has been released as of March 17, 2026.

Practical Steps for Cleared Employees

• Be alert to spear phishing and social engineering from parties who appear to know unusual personal details. This is the most documented real-world consequence of the 2015 breach.
• Report any contact you believe may be related to either breach to your agency security officer and the FBI.
• The 2015 breach compromised the identities of 1.8 million family members and cohabitants as well. Notify them if applicable.
• If your background investigation is up for reinvestigation, DCSA will likely ask about recent data exposures. That is standard procedure, not a red flag.

---

Your Protection Checklist

Immediate Steps (Do This Week)

These steps take 15-30 minutes total and cost nothing.

• Place a credit freeze at all three bureaus. Equifax (equifax.com), Experian (experian.com), TransUnion (transunion.com). A credit freeze is free under federal law and does not affect your credit score. It prevents anyone from opening new credit in your name. You can temporarily lift it when you apply for credit.
• Place a fraud alert. Place at one bureau; it automatically notifies the other two. An initial fraud alert lasts one year. An extended fraud alert lasts seven years and requires creditors to verify your identity before extending credit.
• Create or verify your my Social Security account. Go to ssa.gov/myaccount. This locks your SSA record to your own login and prevents someone else from creating an account on your SSN to redirect benefit payments.
• Set up an IRS Identity Protection PIN. Go to irs.gov/identity-theft-central. This six-digit PIN must appear on any tax return filed with your SSN. Without it, the IRS rejects the return. That stops fraudulent filing in your name.
• Check your IDX coverage if you were in the 2015 OPM breach. Log in to your IDX account or check for notification emails from IDX or nrc.idprotectionservices.com. Coverage expires by September 30, 2026.

Medium-Term Steps (This Month)

• Request access to your eOPF. Contact your agency HR office to review all documents in your electronic personnel folder. Flag any document you do not recognize, and report discrepancies to your agency's human capital office immediately.
• File a Privacy Act access request. You can formally request a copy of all records your agency maintains on you. Agencies must acknowledge your request within 10 days and generally respond within 30 days. This creates a baseline and may reveal unexpected disclosures.
• Review your credit reports. AnnualCreditReport.com provides free weekly reports from all three bureaus. Review for accounts, inquiries, or addresses you do not recognize.
• Monitor your Social Security earnings record. Log in to ssa.gov/myaccount and check your earnings history. Any discrepancy may indicate SSN misuse.
• Report identity theft if it occurs. IdentityTheft.gov (FTC) provides a personalized, step-by-step recovery plan.

If You Witness Data Misuse (Whistleblower Steps)

• Document what you observed: dates, systems, individuals, specific actions
• Report to your agency Inspector General. Your identity is protected by law.
• Report to the Office of Special Counsel at osc.gov. OSC does not share your identity without your consent.
• If you believe there is imminent danger to public health or safety, you may report to Members of Congress with appropriate clearance

---

The 2015 OPM Breach: Why 2026 Is the Deadline

The 2015 OPM breach compromised 21.5 million records, the largest theft of personnel data in U.S. government history. The government contracted with IDX to provide 10 years of free identity theft protection to affected individuals.

That contract expires September 30, 2026.

If you enrolled, IDX is already sending expiration notices by email. Your coverage ends on the 10-year anniversary of your enrollment date, which for most people is somewhere in 2025 or 2026. Legislation to extend coverage for life (the Norton/Ruppersberger bill) has not passed Congress. OPM has not announced any extension.

What to do if you have IDX coverage: Check your enrollment email or log in at nrc.idprotectionservices.com to confirm your expiration date. Before coverage lapses, set up the free alternatives above (credit freezes, ssa.gov account, IRS IP PIN) and enroll in a commercial credit monitoring service if you want ongoing alerts.

---

Whistleblower Protections

Both people who formally raised alarms about DOGE data practices paid a professional price. Charles Borges resigned three days after filing his SSA complaint. The pattern has pushed other career officials to transfer quietly rather than go on record.

If you witnessed data misuse and are weighing whether to report, here is what the law actually provides.

The Whistleblower Protection Act (5 U.S.C. 2302(b)(8)) prohibits agencies from taking personnel actions (removal, suspension, demotion, pay cut, transfer) against an employee who discloses information they reasonably believe shows a violation of law or regulation, gross mismanagement, gross waste, abuse of authority, or a substantial and specific danger to public health or safety.

Where to report:

• Agency Inspector General: IGs cannot disclose your identity without consent. They operate independently from agency leadership and report to both the agency head and Congress.
• Office of Special Counsel: osc.gov. OSC investigates prohibited personnel practices, keeps your identity confidential, and can seek corrective action against officials who retaliate.
• Congress: Members and staff with appropriate clearances can receive disclosures about classified matters.

Document everything before reporting: dates, systems involved, what you observed, who was present, and any instructions you received. A documented record is your strongest protection.

---

Protect Your Career: Related Resources

DOGE-era workforce reductions are running alongside the data privacy concerns, not separately from them. If your position is at risk, the RIF Survival Guide 2026 covers retention rights, bump and retreat, and what to do if you receive a RIF notice.

For broader workforce context, see Federal Workforce Outlook 2026, which tracks DOGE actions, RIF moratorium status, and agency-level reduction timelines.

If you are concerned about at-will conversion under Schedule F, the Schedule F Guide 2026 covers due process rights and how career appointment protections apply.

For MSPB appeal rights and whistleblower protection procedures, see MSPB Ruling: Tenured Federal Employees 2026.

If you are updating your LinkedIn profile during a career transition or preparing for a job search outside of federal service, FedShot AI generates professional headshots for federal employees in under 60 seconds.

---

Frequently Asked Questions

Was my data accessed by DOGE?

If you are or were a federal employee, your personnel records almost certainly passed through OPM, Treasury, or FPPS systems that DOGE accessed starting February 2025. If you have a Social Security number, your NUMIDENT record was potentially reached per two separate whistleblower allegations. There was no formal breach notification in the traditional sense. No one received a letter. That does not mean it was not accessed. The scale means it is safer to assume your data was touched than to assume it was not.

Who is John Solly and what did he allegedly do?

John Solly is a 23-year-old software engineer who worked at DOGE and had access to SSA systems. Wired and the Washington Post identified him on March 10, 2026 as the unnamed individual in a whistleblower complaint alleging he copied the NUMIDENT and Death Master File (covering 500+ million records) to a personal thumb drive. The whistleblower account described him as having "God-level access" to SSA systems during his time at DOGE. Since October 2025 he has worked as CTO of Leidos's health IT division. Solly and Leidos deny all allegations. The SSA Inspector General is investigating.

What is the NUMIDENT database and why does it matter?

NUMIDENT is the SSA's master identity file. It contains Social Security card application records for every person ever issued an SSN, roughly 300 million living Americans plus records for the deceased. It includes SSN, full name, date and place of birth, citizenship status, race and ethnicity, parents' names, phone number, and address. Combined with the Death Master File, the two databases alleged to have been on Solly's thumb drive cover more than 500 million records. This is not a partial breach of a subset of records. These databases cover essentially every American.

Do I still have free identity theft protection from the 2015 OPM breach?

If you were notified you were affected by the 2015 OPM breach and enrolled with IDX, your coverage expires September 30, 2026. If you enrolled after the initial 2015 notification, it expires on your personal 10-year anniversary. IDX has been sending expiration notices. Check your email for messages from IDX or nrc.idprotectionservices.com, and set up free alternatives before your coverage lapses.

Can I file a Privacy Act complaint about how DOGE accessed my records?

Yes. Every agency has a privacy office that accepts Privacy Act complaints. You can also request a copy of your own records under the Privacy Act. A D.C. federal court's March 2026 ruling allowing five federal employees' Privacy Act lawsuit to advance to discovery is the strongest ruling yet in employees' favor. An individual suit requires an attorney and demonstrated harm, but filing a Privacy Act access request with your agency is free, creates a record, and does not require proving standing.

What are the security clearance implications?

If your background investigation predates 2015, your SF-86 data was already compromised in the 2015 OPM breach. The DOGE incidents added HR and payroll data exposure for many active clearance holders. The most documented real-world risk from the 2015 breach is spear phishing and social engineering. Adversaries with SF-86 data know your foreign contacts, financial vulnerabilities, and family members. Be alert to unsolicited contact from anyone who appears to know unusual personal details. Report suspected targeting to your agency security officer and the FBI.

What whistleblower protections exist for federal employees who report data misuse?

The Whistleblower Protection Act covers federal employees who disclose information they reasonably believe shows a violation of law or regulation, gross mismanagement, gross waste, abuse of authority, or substantial danger to public health or safety. Report to your agency Inspector General (identity protected by law) or to the Office of Special Counsel at osc.gov (OSC keeps your identity confidential). Retaliation against a whistleblower is itself a prohibited personnel practice under 5 U.S.C. 2302(b)(8).

What happened to the court cases challenging DOGE data access?

Courts initially sided with plaintiffs: a federal judge found OPM "violated the law and bypassed cybersecurity practices" (June 2025), and earlier courts issued preliminary injunctions. However, the Fourth Circuit lifted the main injunction in August 2025, finding plaintiffs likely lacked standing. The Supreme Court also restored DOGE's SSA access pending further review in June 2025. In March 2026, a D.C. federal court allowed a Privacy Act lawsuit by five federal employees to advance to discovery. Courts found likely violations, access continued due to standing and appellate reversals, and now discovery is underway. Administrative steps and personal protective measures remain your most reliable tools.

---

Related Resources

• RIF Survival Guide 2026: retention rights, bump and retreat, what to do if your position is targeted
• Federal Workforce Outlook 2026: DOGE actions, RIF timelines, agency-level tracking
• Schedule F Federal Employees Guide 2026: at-will conversion, career appointment protections, due process rights
• MSPB Ruling: Tenured Federal Employees 2026: MSPB appeal rights, whistleblower protections, due process

---

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. Privacy Act rights, whistleblower protections, and identity theft remedies involve legal and factual complexities specific to each individual's situation. Consult qualified legal counsel for advice on your specific circumstances. Allegations regarding John Solly and the thumb drive are from whistleblower complaints and are subject to ongoing SSA Inspector General investigation. Solly and Leidos deny the allegations.

Sources: Washington Post, Wired/New Republic, TechCrunch, NPR, Federal News Network, FedScoop, Bloomberg Law, House Oversight Committee, Senate HSGAC, GovExec, DOJ OPCL — Privacy Act Overview, FTC — Credit Freezes and Fraud Alerts, OPM Whistleblower Rights and Protections