The Federal Emergency Management Agency violated the privacy of 2.3 million survivors of California wildfires and three hurricanes in 2017 by releasing their personal information, a government watchdog said Friday.
FEMA’s inspector general said in a report that the agency violated the Privacy Act of 1974 and Homeland Security Department policy, putting disaster survivors “at increased risk of identity theft and fraud.”
FEMA collects personal information from disaster survivors to determine their eligibility for federal aid. The agency is supposed to share with a contractor information about survivors such as their full name, date of birth and the last four digits of their Social Security number.
But the inspector general said FEMA improperly released more information about the survivors, including their street address, the name of their bank, their electronic funds transfer number and their bank transit number.
The survivors were victims of the California wildfires, and Hurricanes Harvey, Irma and Maria.
FEMA said it is taking steps “to assess and mitigate this privacy incident,” including deploying a team of cybersecurity personnel to the contractor’s facilities, the report said.
The agency said its investigators found “no indication of intrusion within the last 30 days,” although FEMA also learned that the contractor did not maintain logs past 30 days.
In a statement, FEMA acknowledged that it “provided more information than was necessary” to its contractor.
“FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” the statement said. “To date, FEMA has found no indicators to suggest survivor data has been compromised.”
The agency said it has “taken aggressive measures to correct this error.”
• Dave Boyer can be reached at dboyer@washingtontimes.com.
Please read our comment policy before commenting.