The Federal Emergency Management Agency exposed the personal information of about 2.3 million disaster survivors, the agency’s inspector general discovered.
In “direct violation” of federal requirements, FEMA released the personal data to a contractor administering a disaster relief program that helps survivors find temporary lodging at hotels, the IG said. The report redacted the name of the contractor.
It leaves the survivors of hurricanes Irma, Harvey, and Maria, as well as the 2017 California wildfires, at increased risk of experiencing identity theft and fraud schemes, the Department of Homeland Security’s IG said in a report published Friday.
“During our ongoing audit of the Federal Emergency Management Agency’s (FEMA) Transitional Sheltering Assistance program, we determined that FEMA violated the Privacy Act of 1974 and Department of Homeland Security policy,” the inspector general said in its report.
Details about possible penalties for violating the law were not immediately clear.
FEMA sent the contractor data that included the names of disaster relief applicants’ banks and electronic funds transfer numbers, the IG said.
In a statement, FEMA Press Secretary Lizzie Litzow acknowledged that the agency had given the contractor “more information than was necessary,” adding that FEMA had “taken aggressive measures to correct this error.”
“FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” Litzow said.
The agency, she added, has worked with the contractor to “remove the unnecessary data from the system and updated its contract to ensure compliance” with DHS standards. FEMA has found “no indicators to suggest survivor data has been compromised,” she said.
Read more about the report on CyberScoop.