IE 11 is not supported. For an optimal experience visit our site on another browser.

FEMA put 2.3M survivors of hurricanes, wildfires at risk of identity theft, watchdog says

Survivors of the 2017 California wildfires, hurricanes Harvey, Irma and Maria were among the millions whose privacy was violated, the inspector general's report says.
Image: People Queue to File FEMA Forms
People wait at the Jose de Diego Elementary School to file FEMA forms for federal aid in the aftermath of Hurricane Maria on Oct. 2, 2017 in Las Piedras, Puerto Rico.Carlos Giusti / AP file

The Federal Emergency Management Agency failed to safeguard personally identifying information of U.S. disaster survivors, putting millions of Americans at risk of fraud or identity theft, the Department of Homeland Security inspector general finds in a new report.

The problem occurred when FEMA unnecessarily released to a private contractor personal information of people applying for transitional housing in 2017. The breach violated the Privacy Act of 1974, the report said.

The office estimates that the 2.3 million people put at risk include survivors of the 2017 California wildfires as well as hurricanes Harvey, Irma and Maria.

FEMA, the agency which provides relief to U.S. citizens following major disasters, provided its contractor with "more than 20 unnecessary data fields for survivors participating in the sheltering program," the March 15 report states.

Image: President Trump walks past hurricane wreckage as he visits areas damaged by Hurricane Maria in Guaynabo, Puerto Rico
President Donald Trump, with first lady Melania Trump, tour areas damaged by Hurricane Maria in Guaynabo, Puerto Rico, on Oct. 3, 2017.Jonathan Ernst / Reuters file

Some of the unnecessary data provided to the contractor included sensitive personal information such as electronic funds transfer numbers and bank transit numbers.

"Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud," the report said.

The name of the contracted company was not identified in the report.

Lizzie Litzow, FEMA's press secretary, said in a statement to NBC News on Friday that the agency "worked with the contractor to remove the unnecessary data from the system."

"FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system," Litzow said. "To date, FEMA has found no indicators to suggest survivor data has been compromised."

The agency also said it has instructed contractors to complete additional DHS privacy training.