FEMA Improperly Shared Sensitive Information of 2.3 Million Disaster Survivors


The Federal Emergency Management Agency (FEMA) failed to safeguard the sensitive personal identifiable information (SPII) of 2.3 million survivors of hurricanes Harvey, Irma, Maria and the California wildfires in 2017.

The disaster survivors affected by the privacy incident or breach are at risk of becoming victims of identity theft and fraud.

The Inspector General’s Office of the Department of Homeland Security (DHS) discovered the privacy incident during an ongoing audit of FEMA’s Transitional Sheltering Assistance (TSA) program.

FEMA provides transitional sheltering in hotels to people displaced by emergencies or major disasters through the TSA program.

According DHS Acting Inspector General John V. Kelly, FEMA improperly released disaster survivors’ SPII to its contractor. Some of the sensitive information exposed includes personal addresses and banking information such as electronic funds transfer number and bank transit number.

Kelly said that the unnecessary transfer of disaster survivors’ SPPI to the contractor is a violation of the Privacy Act of 1974 and DHS policy. He recommended corrective actions to FEMA to prevent any privacy incident in the future.

FEMA implemented measures to mitigate the breach

FEMA accepted his recommendations and started implementing measures to assess and mitigate the breach. The agency deployed a Joint Assessment Team of cybersecurity personnel to its contractor’s facilities. The team documented and removed the improperly shared sensitive personal information to its contractor’s systems.