FEMA Disaster Survivor Assistance (DSA) team members Juan Ramirez and Pedro Agosto Rivera, left, and FEMA Corps member Andrew Winston, right, visit Hurricane Maria survivors in Mayaguez, Puerto Rico, on March 21, 2018. (Michael Medina-Latorre/FEMA)

FEMA ‘Released Unnecessary’ Private Data of 2.3 Million Disaster Survivors

The Federal Emergency Management Agency mishandled personal information of 2.3 million disaster survivors while transferring information to a contractor for the Transitional Sheltering Assistance program, the Department of Homeland Security Office of Inspector General said in a report released today.

The breach affected survivors of hurricanes Harvey, Irma and Maria, as well as the 2017 California wildfires.

“FEMA should only provide with limited information needed to verify disaster survivors’ eligibility for the TSA program,” said the management alert from OIG John V. Kelly. “The privacy incident occurred because FEMA did not take steps to ensure it provided only required data elements to [redacted]. Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud.”

The TSA program finds shelter for disaster survivors in hotels to relieve some of the burden from emergency shelters. FEMA “released unnecessary” personally identifiable information, including name, address and birthdate, as well as sensitive PII, which could include financial account information.

“A privacy incident occurred because FEMA did not ensure it shared with the contractor only the data elements the contractor requires to perform its official duties administering the TSA program,” the OIG continued. “FEMA provided and continues to provide [redacted] with more than 20 unnecessary data fields for survivors participating in the TSA program.”

“FEMA headquarters officials told us it may be feasible to change the data transfer script to remove the unnecessary PII, but such change would need to be coordinated with the Individual Assistance and Mass Care program offices, which may be time consuming.”

The failure to limit the release of personal information to only required data “has placed approximately 2.3 million disaster survivors at increased risk of identity theft and fraud,” OIG said.

FEMA press secretary Lizzie Litzow said in a statement that since the issue was discovered the agency “has taken aggressive measures to correct this error.”

“FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” Litzow said. “To date, FEMA has found no indicators to suggest survivor data has been compromised. FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security cybersecurity and information-sharing standards. As an added measure, FEMA instructed contracted staff to complete additional DHS privacy training.”

“FEMA’s goal remains protecting and strengthening the integrity, effectiveness, and security of our disaster programs that help people before, during, and after disasters,” she added.

The OIG said FEMA concurred with both of the office’s recommendations: that FEMA’s “Assistant Administrator for the Recovery Directorate implement controls to ensure that the agency only sends required data elements of registered disaster survivors to contractors,” and that the directorate “assess the extent of this privacy incident and implement a process for ensuring that Personally Identifiable Information, including Sensitive Personally Identifiable Information, of registered disaster survivors previously released to [redacted] is properly destroyed pursuant to DHS policy.”

“FEMA’s estimated completion date for implementing the recommendations is June 30, 2020. Given the sensitive nature of these findings, we urge FEMA to expedite this timeline,” the OIG added.

Bridget Johnson is the Managing Editor for Homeland Security Today. A veteran journalist whose news articles and analyses have run in dozens of news outlets across the globe, Bridget first came to Washington to be online editor and a foreign policy writer at The Hill. Previously she was an editorial board member at the Rocky Mountain News and syndicated nation/world news columnist at the Los Angeles Daily News. Bridget is a senior fellow specializing in terrorism analysis at the Haym Salomon Center. She is a Senior Risk Analyst for Gate 15, a private investigator and a security consultant. She is an NPR on-air contributor and has contributed to USA Today, The Wall Street Journal, New York Observer, National Review Online, Politico, New York Daily News, The Jerusalem Post, The Hill, Washington Times, RealClearWorld and more, and has myriad television and radio credits including Al-Jazeera and SiriusXM.

Leave a Reply

Latest from Emergency Preparedness

SIGN UP NOW for FREE News & Analysis on topics of your choice across homeland security!

BEYOND POLITICS.  IT'S ABOUT THE MISSION. 

Go to Top
Malcare WordPress Security