A National Security Agency employee was able to secretly intercept the phone calls of nine foreign women for six years without ever being detected by his managers, the agency's internal watchdog has revealed.

The unauthorised abuse of the NSA's surveillance tools only came to light after one of the women, who happened to be a US government employee, told a colleague that she suspected the man – with whom she was having a sexual relationship – was listening to her calls.

The case is among 12 documented in a letter from the NSA's inspector general to a leading member of Congress, who asked for a breakdown of cases in which the agency's powerful surveillance apparatus was deliberately abused by staff. One relates to a member of the US military who, on the first day he gained access to the surveillance system, used it to spy on six email addresses belonging to former girlfriends.

The letter, from Dr George Ellard, only lists cases that were investigated and later "substantiated" by his office. But it raises the possibility that there are many more cases that go undetected. In a quarter of the cases, the NSA only found out about the misconduct after the employee confessed.

It also reveals limited disciplinary action taken against NSA staff found to have abused the system. In seven cases, individuals guilty of abusing their powers resigned or retired before disciplinary action could be taken. Two civilian employees kept their jobs – and, it appears, their security clearance – and escaped with only a written warning after they were found to have conducted unauthorised interceptions.

The abuses – technically breaches of the law – did not result in a single prosecution, even though more than half of the cases were referred to the Department of Justice. The DoJ did not respond to a request for information about why no charges were brought.

The NSA's director, Gen Keith Alexander, referred to the 12 cases in testimony to a congressional hearing on Thursday. He told senators on the intelligence committee that abuse of the NSA's powerful monitoring tools were "with very rare exception" unintentional mistakes.

"The press claimed evidence of thousands of privacy violations. This is false and misleading," he said.

"According to NSA's independent inspector general, there have been only 12 substantiated case of willful violation over 10 years. Essentially, one per year."

He added: "Today, NSA has a privacy compliance program any leader of a large, complex organization would be proud of."

However, the small number cases depicted in the inspector general's letter, which was published by Republican senator Chuck Grassley, could betray a far larger number that NSA managers never uncovered.

One of the cases emerged in 2011 ,when an NSA employee based abroad admitted during a lie-detector case that he had obtained details about his girlfriend's telephone calls "out of curiosity". He retired last year.

In a similar case, from 2005, an NSA employee admitted to obtaining his partner's phone data to determine whether she was "involved" with any foreign government officials. In a third, a female NSA employee said she listened to calls on an unknown foreign telephone number she discovered stored on his cell phone, suspecting he "had been unfaithful".

In another case, from two years ago, which was only discovered during an investigation another matter, a woman employee of the agency confessed that she had obtained information about the phone of "her foreign-national boyfriend and other foreign nationals". She later told investigators she often used the NSA's surveillance tools to investigate the phone numbers of people she met socially, to ensure they were "not shady characters".

The case of the male NSA employee who spied on nine women occurred between 1998 and 2003. The letter states that the member of staff twice collected communications of an American, and "tasked nine telephone numbers of female foreign nationals, without a valid foreign intelligence purpose, and listened to collected phone conversations".