The Federal Emergency Management Agency unnecessarily shared personal data of 2.3 million disaster survivors with an outside contractor, putting that information at risk for potential identity theft and fraud. That was the conclusion of a report by John V. Kelly, acting Inspector General for the Homeland Security Department, which found the improperly sharing of data affected victims from four major 2017 disasters— Hurricanes Harvey, Irma, and Maria as well as the California wildfires. Although the report was dated March 15 it was released publicly Friday.
The disaster victims had given FEMA, which is part of Homeland Security, the information as part of the effort to obtain temporary shelter in hotels. The information that FEMA improperly shared with the contractor that was in charge of the shelter program includes full names, birth dates, partial social security numbers, addresses and financial information, which includes details of banking information. FEMA insisted Friday night after the report was publicly released that there was no evidence the data had been compromised but also acknowledged the contractor only has security logs for the past 30 days.
Although the contractor, whose name was redacted in the report, never alerted FEMA that it was receiving more information than it needed, it was not required to do so under the terms of the contract. Still, if there had been an alert, FEMA “may have been able to remedy this situation earlier and avoid additional privacy incidents,” the report said. “Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud.”
FEMA acknowledged it had made a mistake in sharing the data but insisted the issue has since been corrected. “Since discovery of this issue, FEMA has taken aggressive measures to correct this error,” the the agency’s press secretary, Lizzie Litzow, said in a statement. “FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system.”