On the one hand, that's thousands of SSN among millions of exempt orgs, so it's needles among haystacks. But on the other, when I worked there we guarded PII on pain of termination (and possible prosecution.)
I agree with Fungus, except that if we quit pretending SSN are super secret, then who would be responsible when identity theft happens? Corporations? I think not!