The US Federal Emergency Management Agency has shared the personal and financial information of more than 2.3 million disaster victims with one of its contractors, a government report has revealed.
Hurricane Harvey, Irma, and Maria survivors, along with the California 2017 wildfires victims had their data shared inappropriately by FEMA officials, according to a report published this week by the Department of Homeland Security’s Office of Inspector General (OIG).
The data belonged to disaster victims who signed up with FEMA’s Transitional Sheltering Assistance (TSA) program to receive temporary housing.
The OIG report found that FEMA shared too much information about disaster victims with one of its contractors.
Normally, FEMA should have released 13 data points about each applicant to its contractors, but in this case, the agency released an additional 20 fields, some containing what the OIG described as “sensitive personally identifiable information” (SPII), such as the applicant’s street name, city, ZIP code, and bank and other financial details.
The name of the contractor who received this data was redacted in the OIG report. It also didn’t say when the data breach occurred, but it’s believed to have happened sometime between the fall of 2017 and mid-2018 when the DHS OIG audit took place.
In a canned statement sent out to inquiring press, FEMA said it corrected the mistake.
“FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” Lizzie Litzow, FEMA’s press secretary, told ZDNet sister site CNET.
More data breach coverage: