IRS employees sent numerous emails with unencrypted taxpayer data, in violation of the agencies email policies, according to a report by the Treasury Inspector General for Tax Administration (TIGTA). As the report notes, almost half of IRS employees sampled failed to abide by the agency’s email policies. Based on these findings TIGTA estimates that the information of more than 28 million taxpayers could be vulnerable.

Under IRs procedure, employees can only send emails containing taxpayer data if it is properly encrypted. As the report notes:

“IRS employees should never include taxpayer PII/tax return information in electronic mail (e-mail) messages or attachments unless an IRS-approved encryption technology is used.”

However, this was not the case. In a random sample of 80 employees, TIGTA found that 49 percent of employees, failed to follow IRS guidelines. As the report notes:

“39 (49 percent) employees sent a total of 326 unencrypted e-mails containing 8,031 different taxpayers’ PII/tax return information internally to other IRS employees or externally to non-IRS e-mail accounts.”

As the report notes, this poses a serious risk that taxpayer information will be improperly disclosed. The information sent in these emails included personally identifiable information and tax return information. Of most concern, TIGTA identified 51 emails that were sent to non-IRS e-mail accounts and an additional 20 that were sent to personal e-mail accounts.

TIGTA determined that this issue could affect more than 28 millions of taxpayers. According to the report:

“Based on our sample results, we estimate that 11, 416 SB/SE Division employees sent 95,396 unencrypted e-mails with taxpayer PII/tax return information for 2.4 million taxpayers during the four-week period of our sample. If this four-week period is typical, we estimate that more than 1.1 million unencrypted e-mails with taxpayer PII/tax return information of 28.2 million taxpayers could be sent annually.”

This is not the first time the IRS has left taxpayers in danger. In September, TIGTA released a report on the failure of the IRS to ensure the proper return of laptops that contained sensitive taxpayer information by contractors. TIGTA estimated that the IRS had failed to properly document the return of 84.2 percent, or more than 1,000 computers due to be returned by contract employees.

Additionally, last year there was a data breach that left hundreds of thousands of taxpayers’ information exposed after being warned by watchdog groups. Following the hack, TIGTA revealed that the IRS failed to implement 44 recommendations that would improve the IRS’s ability to protect taxpayer information from hackers. Of these 44, ten recommendations were over three years old.