News

Actions

FEMA shared 2.3 million disaster survivors’ personal information with contractor

Posted at 9:09 PM, Mar 22, 2019
and last updated 2019-03-22 21:09:41-04

Millions of hurricane and wildfire survivors are learning that they’re at “increased risk of identity theft and fraud” because the Federal Emergency Management Agency shared their banking and other private information.

The Department of Homeland Security inspector general said Fridaythat FEMA had unlawfully disclosed the private data of 2.3 million survivors with a federal contractor that was helping them find temporary housing.

The Department of Homeland Security inspector general said on March 22, 2019, that the Federal Emergency Management Agency unlawfully shared the private information of 2.3 million hurricane and wildfire survivors with a federal contractor that was helping them find temporary housing.

The 2.3 million people include survivors of Hurricanes Harvey, Irma and Maria and the 2017 California wildfires.

The data includes “20 unnecessary data fields” such as electronic funds transfer number, bank transit number, and address. The data was part of a stream of information the agency feeds to the housing contractor, whose name was redacted from the public version of the inspector general’s report.

Related: California’s largest utility provider could face murder charges for wildfires, AG says

FEMA said it began filtering the data in December 2018 to prevent the information from being shared, but a more permanent fix may not be finalized until June 2020.

“Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” said Lizzie Litzow, press secretary for FEMA, in a statement.

“To date, FEMA has found no indicators to suggest survivor data has been compromised,” Litzow said, although the inspector general’s office said the contractor keeps data security logs only for the past 30 days.

The statement also said FEMA was requiring additional privacy training for contractors and “worked with the contractor to remove the unnecessary data from the system.”