The Federal Emergency Management Agency mishandled personal information of 2.3 million disaster survivors while transferring information to a contractor for the Transitional Sheltering Assistance program, the Department of Homeland Security Office of Inspector General said in a report released today.
The breach affected survivors of hurricanes Harvey, Irma and Maria, as well as the 2017 California wildfires.
“FEMA should only provide with limited information needed to verify disaster survivors’ eligibility for the TSA program,” said the management alert from OIG John V. Kelly. “The privacy incident occurred because FEMA did not take steps to ensure it provided only required data elements to [redacted]. Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud.”
The TSA program finds shelter for disaster survivors in hotels to relieve some of the burden from emergency shelters. FEMA “released unnecessary” personally identifiable information, including name, address and birthdate, as well as sensitive PII, which could include financial account information.
“A privacy incident occurred because FEMA did not ensure it shared with the contractor only the data elements the contractor requires to perform its official duties administering the TSA program,” the OIG continued. “FEMA provided and continues to provide [redacted] with more than 20 unnecessary data fields for survivors participating in the TSA program.”
“FEMA headquarters officials told us it may be feasible to change the data transfer script to remove the unnecessary PII, but such change would need to be coordinated with the Individual Assistance and Mass Care program offices, which may be time consuming.”
The failure to limit the release of personal information to only required data “has placed approximately 2.3 million disaster survivors at increased risk of identity theft and fraud,” OIG said.
FEMA press secretary Lizzie Litzow said in a statement that since the issue was discovered the agency “has taken aggressive measures to correct this error.”
“FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” Litzow said. “To date, FEMA has found no indicators to suggest survivor data has been compromised. FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security cybersecurity and information-sharing standards. As an added measure, FEMA instructed contracted staff to complete additional DHS privacy training.”
“FEMA’s goal remains protecting and strengthening the integrity, effectiveness, and security of our disaster programs that help people before, during, and after disasters,” she added.
The OIG said FEMA concurred with both of the office’s recommendations: that FEMA’s “Assistant Administrator for the Recovery Directorate implement controls to ensure that the agency only sends required data elements of registered disaster survivors to contractors,” and that the directorate “assess the extent of this privacy incident and implement a process for ensuring that Personally Identifiable Information, including Sensitive Personally Identifiable Information, of registered disaster survivors previously released to [redacted] is properly destroyed pursuant to DHS policy.”
“FEMA’s estimated completion date for implementing the recommendations is June 30, 2020. Given the sensitive nature of these findings, we urge FEMA to expedite this timeline,” the OIG added.