FEMA shared California wildfire victims’ personal data with outside vendor

Millions of disaster victims — including thousands of those hit by California wildfires — had personally identifiable information put in jeopardy when they applied for housing relief with the Federal Emergency Management Agency, authorities said Friday.

The federal Office of Inspector General said the information was included in applications hurricane and wildfire victims submitted to FEMA’s Transitional Sheltering Assistance program and was passed onto vendors without some of it being removed.

“During our audit … we determined that FEMA violated the Privacy Act of 1974 and Department of Homeland Security policy by releasing [personally identifiable information] of 2.3 million survivors of Hurricane Harvey, Irma, and Maria and the California wildfires in 2017,” the March 15 memo stated. “Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud.”

The information included applicants’ full names, last four digits of their Social Security numbers, home addresses, and bank account and routing numbers.

“I want to be clear, this is not a compromise, it was an oversharing of information with a contracted vendor,” Abigail Dennis of FEMA said in an email. “There has been no information to suggest that survivor data has been compromised.”

Some of the jeopardized information was needed in an earlier version of the Transitional Sheltering Assistance program to directly place funds into the bank accounts of displaced disaster victims.

But in the new version of the program, FEMA has to send over only 13 pieces of data from an application to verify someone’s eligibility. Instead, it was providing more than 20 pieces, including sensitive personally identifiable information such as the applicant’s address and ZIP Code, as well as bank names, account numbers and routing numbers.

The vendor “did not notify FEMA that it was providing information unnecessary to fulfilling the contract terms,” the Inspector General’s Office wrote, while acknowledging that the company was not required to do so.

Had the company told FEMA it was sending over more information than necessary, the memo said, “FEMA may have been able to remedy this situation earlier and avoid additional privacy incidents.”

The information included data belonging to victims of the 2017 California wildfires in wine country and in Ventura and Santa Barbara counties.

In a response to a draft of the inspector general’s memo given to FEMA before its public release, the agency said it stopped sending unnecessary information to the vendor Dec. 7, after it learned about the practice from auditors.

“Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” FEMA spokeswoman Lizzie Litzow said in an emailed statement.

“FEMA has found no indicators to suggest survivor data has been compromised. FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security cybersecurity and information-sharing standards.”

But neither FEMA nor the Inspector General’s Office can say whether the vendor’s database of victims’ information was ever breached by an outside party because the company’s logs go back only 30 days, the memo said. Logs showed no breach in the 30 days of records available.

That shouldn’t be any consolation for the potential victims, said Michael Greenberger, a law professor and founder of the University of Maryland’s Center for Health and Homeland Security.

“They probably sent it digitally. When that information is transmitted, it can be picked up by bad actors. The contractor doesn’t know if its database has been invaded, and the fact it only goes back a month is meaningless,” he said.

“The fact you have an independent investigator calling this into question — there’s no excuse for this,” Greenberger added. “The only thing I can say in fairness to FEMA is that data like this is being lost across the country like crazy…. This is a nationwide problem.”

Auditors also found 11 security vulnerabilities in how the vendor stores information, the memo said. FEMA replied that four have since been fixed with the other seven expected to be fixed by June 30, 2020.

“Given the sensitive nature of these findings, we urge FEMA to expedite this timeline,” the Office of the Inspector General wrote.