FEMA leaks sensitive personal data records on 2.3M disaster victims

A government report revealed that the Federal Emergency Management Agency (FEMA) did not safeguard disaster survivor’s personal data on up to 2.3 million people. FEMA shared the sensitive personally identifiable information (SPII) with a third party.

According to the Office of the Inspector General report titled “Management Alert – FEMA Did Not Safeguard Disaster Survivors’ Sensitive Personally Identifiable Information,” FEMA shared more sensitive data elements than was necessary with a third party.

A summary of the findings from the report:

“During our ongoing audit of the Federal Emergency Management Agency’s (FEMA) Transitional Sheltering Assistance (TSA) program, we determined that FEMA violated the Privacy Act of 19741 and Department of Homeland Security policy by releasing to [third party name redacted] the PII and SPII of 2.3 million survivors of hurricanes Harvey, Irma, and Maria and the California wildfires in 2017. FEMA should only provide [name redacted] with limited information needed to verify disaster survivors’ eligibility for the TSA program. The privacy incident occurred because FEMA did not take steps to ensure it provided only required data elements to [name redacted.] Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud.”

The privacy incident occurred because FEMA shared with the contractor more than 20 unnecessary data fields for survivors.

Six of the 20 elements included the more sensitive data types to include the applicant’s:

  1. Street Address
  2. City Name
  3. Zip Code
  4. Financial Institution Name
  5. Electronic Funds Transfer Number
  6. Bank Transit Number

The report recommended that FEMA only send the minimum required data elements of registered disaster survivors to contractors. In addition, a process should be be implemented to destroy personal data, to include SPII of the disaster survivors that was shared with the contractor.

FEMA said the accidental data leak was taken care of and removed from the third party’s system.