The Internal Revenue Service failed to tell nearly half a million victims of identity theft last year their information was being used by others for employment purposes, according to a new report, which attributed the failure to a computer programming error.

The report, from the Treasury Inspector General for Tax Administration, found the programming glitch kept the IRS from notifying 458,658 victims of “employment identity theft.” The identity thieves used the victim’s identity to get jobs. Employment identity theft can be a big problem for legitimate taxpayers, as the IRS could incorrectly compute their taxes based on income that doesn’t belong to them.

The IRS didn’t send the notice to anybody who had been identified as an employment identity theft victim in previous years. A programming error limited notifications to just the victims whose information was identified on a processing year 2017 return who weren’t previously identified as a victim. Each of these 458,658 taxpayers’ Social Security Numbers was used on a tax return before that year and they were identified by the IRS as a victim of employment identity theft. The IRS asked its programmers to correct the error last September, although it isn’t clear if the problem has been fixed yet.

On top of that, the report found 15,168 of the 112,445 employment identity theft notices (that is, 13.5 percent of them) issued by the IRS last year were erroneously sent to taxpayers who actually weren’t employment identity theft victims at all. In most cases, these taxpayers were the spouses of taxpayers who filed legitimate tax returns reporting the spouses’ wages and Social Security Numbers. But the IRS mistakenly placed an employment identity theft marker on the spouses’ tax accounts, which then generated the incorrect notices.

“Taxpayers need to be notified once the IRS is aware that their identities are being used by others to gain employment,” said TIGTA Inspector General J. Russell George in a statement. “TIGTA’s audit found that the IRS needs to improve its process of notifying them, and we have made specific recommendations for doing so.”

TIGTA made four recommendations in the report, saying the IRS should send the employment identity theft notice to the 458,658 victims identified last year informing them that their Social Security Number was used by someone else to get employment. It also suggested the IRS reverse the employment identity theft marker on the incorrect 15,168 taxpayers’ accounts and let them know the notice was sent to them in error. TIGTA also recommended the IRS revise its programming to ensure that the employment identity theft marker is not erroneously placed on tax accounts; and identify any instances, prior to processing year 2017, in which it erroneously placed the employment identity theft marker on taxpayers’ accounts. The IRS agreed with TIGTA’s recommendations and plans to take action to correct the problems with employment identity theft.

“Regardless of the type, the IRS takes IDT fraud very seriously and has expended substantial resources to identify and stop tax fraud and the victimization of innocent taxpayers when their personally identifiable information is misused,” wrote Kenneth Corbin, commissioner of the IRS’s Wage and Investment Division. “Since February 2011, we have been identifying returns that reflect discrepancies between the wages self-reported by a taxpayer and wages attributed to the taxpayer as reported by an individual using that taxpayer’s SSN.”

Based on the results of a pilot program, the IRS began notifying the victims of employment-related identity theft in January 2017. “The 2017 Filing Season was the initial season for the employment-related IDT notification program,” said Corbin. “Throughout this season, we monitored the notification program to not only identify any programming issues, but to continue to refine and improve our process for notifying individuals when their SSNs were being misused by others for employment purposes.”

