The problem occurred when FEMA unnecessarily released to a private contractor personal information of people applying for transitional housing in 2017. The breach violated the Privacy Act of 1974, the report said.
The office estimates that the 2.3 million people put at risk include survivors of the 2017 California wildfires as well as hurricanes Harvey, Irma and Maria.
Let our news meet your inbox. The news and stories that matters, delivered weekday mornings.
FEMA, the agency which provides relief to U.S. citizens following major disasters, provided its contractor with "more than 20 unnecessary data fields for survivors participating in the sheltering program," the March 15 report states.
Some of the unnecessary data provided to the contractor included sensitive personal information such as electronic funds transfer numbers and bank transit numbers.
"Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud," the report said.
The name of the contracted company was not identified in the report.
Lizzie Litzow, FEMA's press secretary, said in a statement to NBC News on Friday that the agency "worked with the contractor to remove the unnecessary data from the system."
"FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system," Litzow said. "To date, FEMA has found no indicators to suggest survivor data has been compromised."
The agency also said it has instructed contractors to complete additional DHS privacy training.
Doha Madani is a breaking news reporter for NBC News.