Update | March 25, 2019: FEMA told The Consortium Sunday afternoon that the accidental release of data belonging to 2.3 million disaster victims to a contractor FEMA has not named, did not include data of Virgin Islanders disaster victims.
The Federal Emergency Management Agency has acknowledged in a recent report that it inadvertently released personal information of more than 2.3 million disaster victims — among them those affected by Hurricanes Irma and Maria, Hurricane Harvey, and victims of the 2017 California wildfires. A government watchdog has described the release as a “major privacy incident,” with potential life-ruining consequences for those affected, including possible identity theft and fraud.
FEMA’s inspector general said the information was accidentally released to a contractor, however the federal agency did not release the contractor’s identity as part of the report. Information released included Social Security numbers and bank information.
“In transferring disaster survivor information to a contractor, FEMA provided more information than was necessary,” said Lizzie Litzow, an agency spokeswoman, in a statement Friday. “Since discovery of this issue, FEMA has taken aggressive measures to correct this error.”
While FEMA maintains that the release was not a data breach, it did not deny that the faux pas could potentially harm the millions affected.
According to the report, the data released was of those who participated in FEMA’s transitional sheltering assistance program, which provides hotels or other forms of temporary housing for survivors who are not able to return to their homes for an extended period following a disaster.
“We overshared information with a contractor, but by all means this was not a data breach, no disaster survivor data or information under the program was compromised,” Daniel Llargues, a FEMA spokesman, said.
Ms. Litzow added, “FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system. To date, FEMA has found no indicators to suggest survivor data has been compromised.”
The personal information of the disaster victims was needed, FEMA said, because the program requires it to ensure that claims are not fraudulent, and for payments to be made quickly.
The inspector general’s report was released on March 15 and posted online Thursday. It included a number recommendations to FEMA, including sending only required information to contractors, and that the contractors destroy the information in a timely fashion.
FEMA said the contractor in question is working to implement necessary security changes.