Private documents visible but access denied?

Got a client where they were using Delve and not paying much attention, then one day noticed users could see content not shared with them when browing to other users Delve pages.  They see a card for a document, but when they click it, they get access denied.  If they go to the user's actual OneDrive, they do not see the content, but it shows in Delve.  This is not how it's supposed to work and causing some huge worry about security.  They chose to disable the Office Graph until we get to the bottom of this.  Anyone else seen this?