FEMA released personal data on millions hit by Harvey, fires
Millions of disaster victims — including thousands of those hit by California wildfires and by Hurricane Harvey — had personally identifiable information compromised when they applied for housing relief with the Federal Emergency Management Agency, authorities said Friday.
The federal Office of Inspector General said the information was included in applications hurricane and wildfire victims submitted to FEMA’s Transitional Sheltering Assistance program for housing assistance and was passed onto vendors without some of it being removed.
“During our audit … we determined that FEMA violated the Privacy Act of 1974 and Department of Homeland Security policy by releasing (personally identifiable information) of 2.3 million survivors of Hurricane Harvey, Irma, and Maria and the California wildfires in 2017,” the March 15 memo stated. “Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud.”
The information included applicants’ full names, last four digits of their Social Security numbers, home addresses and bank account and routing numbers. Some of it was needed in an earlier version of the Transitional Sheltering Assistance program to directly place funds into the bank accounts of displaced disaster victims.
But in the new version of the program, FEMA has to send over only 13 pieces of data from an application to verify someone’s eligibility. Instead, it was providing more than 20 pieces, including sensitive personally identifiable information such as the applicant’s address and ZIP Code and bank names, account numbers and routing numbers.
The vendor “did not notify FEMA that it was providing information unnecessary to fulfilling the contract terms,” the Inspector General’s office wrote, while acknowledging that the company was not required to do so.
Had the company told FEMA it was sending over more information than necessary, the memo said, “FEMA may have been able to remedy this situation earlier and avoid additional privacy incidents.”
The compromised information included data belonging to victims of the 2017 California wildfires in wine country and Ventura and Santa Barbara counties.
In a response to a draft of the inspector general’s memo given to FEMA before its public release, the agency said it stopped sending unnecessary information to the vendor Dec. 7, after it learned about the practice from auditors.
But neither FEMA nor the Inspector General’s Office can say whether the vendor’s database of victims’ information was ever breached by an outside party because the company’s logs only go back 30 days, the memo said. Logs showed no breach in the 30 days of records available.
Auditors also found 11 security vulnerabilities in how the vendor stores information, the memo said. FEMA replied that four have since been fixed with the other seven expected to be fixed by June 30, 2020.
“Given the sensitive nature of these findings, we urge FEMA to expedite this timeline,” the Office of the Inspector General wrote.