March 23 (UPI) — The Federal Emergency Management Agency released private information of more than 2 million survivors of hurricanes and fires in 2017 to a contractor against federal privacy law, the Department of Homeland Security inspector general said.
The inspector general report filed last week stated that the information was released while FEMA was working with a federal contractor to help victims of hurricanes Harvey, Irma and Maria find housing, along with those affected by the California wildfires.
That information included the last four digits of the survivors’ Social Security numbers, the number of people living in households, bank names, electronic funds transfer numbers and bank transit numbers.
“The privacy incident occurred because FEMA did not take steps to ensure it provided only required data elements … ,” the inspector general report stated. “Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud.”
The report said the contractor administered a FEMA program that helped disaster survivors obtain short-term lodging at participating hotels. FEMA said more than 2.3 million disaster survivor registrants were eligible for the program after the 2017 hurricanes and wildfires.
FEMA press secretary Lizzie Litzow said in a statement Friday that the agency has been working with the Department of Homeland Security to identify the problem in its Transitional Sheltering Assistance program, acknowledging that the contractor should not have received such detailed information on survivors.
“Since the discovery of this issue, FEMA has taken aggressive measures to correct this error,” Litzow said. “FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system.
“To date, FEMA has found no indicators to suggest survivor data has been compromised. FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security cybersecurity and information-sharing standards,” she continued.
Litzow said that contracted staff has been ordered to take additional DHS privacy training.
“FEMA’s goal remains protecting and strengthening the integrity, effectiveness, and security of our disaster programs that help people before, during, and after disasters,” Litzow said.