FEMA Exposes 2.3 Million Disaster Survivors to Potential Fraud

A Department of Homeland Security (DHS) Office of Inspector General (OIG) report has concluded that the Federal Emergency Management Agency (FEMA) failed to take necessary steps to protect personal data and released that data to unauthorized contractors. FEMA has been taking steps to address the issue.

According to the OIG report, FEMA collects Personally Identifiable Information (PII) and Sensitive PII (SPII) when providing transitional sheltering in hotels to disaster survivors displaced by emergencies and natural disasters. This information includes names, home addresses, birthdates, and financial account information.

Following the hurricanes Harvey, Irma, and Maria and the California wildfires in 2017, FEMA collected this data from more than 2.3 million disaster survivors. The OIG report finds this data was inadvertently given to a FEMA contractor, whose name was redacted from the report.

The report was critical of FEMA for the agency’s failure to “take steps to ensure it provided only required data elements to [the redacted contractor].” The OIG was also critical of the contractor for failing to notify the agency that they had received excess information, although they are not required to do so.

The OIG explains, “A privacy incident occurred because FEMA did not ensure it shared with the contractor only the data elements the contractor requires to perform its official duties administering the TSA program. FEMA provided and continues to provide with more than 20 unnecessary data fields for survivors participating in the TSA program… Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud.”

Upon conferring with the agency, FEMA officials “indicated it has begun to implement measures to assess and mitigate this privacy incident.” This effort includes removing the data from contractor systems with a cyber-security team.

According to the agency, a Joint Assessment Team found no indication of intrusion of the information within the last 30 days, although the contractor did not maintain logs beyond 30 days.

The DHS OIG recommended several steps to correct this action and prevent further improper releases of information. FEMA has pledged to implement these recommendations by June 30, 2020.

This is not the first time the DHS OIG has critiqued FEMA for mishandling sensitive information. In 2015 a disaster response center in California was discovered to have stored survivor records in open, unsecured cardboard boxes. Information was also said to be mishandled in a case in 2013.

The DHS OIG is continuing this audit and plans to release additional recommendations regarding the issue in the full report.