It happens every tax season. W2s or 1099s are mailed out with Social Security numbers or tax ID numbers visible through the envelopes window. Or, they are printed on mailing labels and slapped on the outside of the envelopes along with names and addresses. In this data breach, they were mailed out to the wrong recipients, placing the intended recipients in grave danger of identity theft.

The Ozarks Area Community Action Corporation (OACAC) data breach occurred because of an error when they mailed out 1099 tax forms to area landlords. Only half of the roughly 500 landlords who provided subsidized housing to low-income residents received their 1099 forms last month. However, the other half of the landlords received two 1099 forms—their own and, as a bonus—a second form for one of the other landlords that work with the OACAC of Springfield, Missouri.

The landlords whose forms were mistakenly mailed to the wrong recipients are now at a very high risk of identity theft. A 1099 is a form required by the IRS for any non-employee contractors who receive more than $600 in compensation for their services or products. The form is printed with the payer’s name, address and tax number, the contractor’s name, resident address, rental property address, financial compensation, Social Security number or tax ID number. The data breach made it for easy for any of the recipients to commit identity theft.

The OACAC director, Carl Rosenkranz, explained that the data breach occurred because the agency printed two tax forms onto a single piece of paper. The forms were supposed to be separated and mailed to the respective landlords, but were not. Rosenkranz said they can identify the landlords who received two forms.

The agency sent letters to the landlords apologizing for the error, and asked that anyone who received someone else’s forms please return it to the agency.

One of the service providers said he’d be more comfortable if the recipient just burned his form rather than send it back to the agency that made such a serious mistake.