A major breach at Federal Emergency Management Agency (FEMA) exposed personal data of more than 2 million disaster victims. FEMA exposed the data by oversharing survivor data with a contractor.
Affected victims include those affected by hurricanes Harvey, Irma, and Maria and the California wildfires in 2017.
The Office of Inspector General (OIG) at the Department of Homeland Security (DHS) oversees FEMA conducted an audit at FEMA. They determined that FEMA had failed to protect personally identifiable data and released the data to unauthorized contractors.
FEMA instead overshared information to a contractor who was determining eligibility for their Transitional Sheltering Assistance (TSA) program. FEMA shared over 20 unnecessary types of Personal Identifying Information (PII), of the 20 types 6 types included sensitive PII (SPII) data. Overshared information included applicant’s street address, city name, zip code, financial institution name, electronic funds transfer numbers, and bank transit numbers.
The OIG report stated that FEMA should have only given the contractor the necessary information needed to verify disaster survivors. They further said:
“The privacy incident occurred because FEMA did not take steps to ensure it provided only required data elements to [redacted] Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud”
In addition, OIG determined that the contracting company failed to notify FEMA they had received more information than required in the data transfer.
OIG made two recommendations for FEMA to follow. First, FEMA should make sure only needed data is sent to contractors. Second FEMA should implement policies to ensure all released PII and SPII are properly removed.
At this time, FEMA is working with the contracting company to ensure all unnecessary data be destroyed. They have also promised to implement the recommendations by June 30, 2020.
FEMA has stated the following:
“Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system. To date, FEMA has found no indicators to suggest survivor data has been compromised.”
Contact LIFARS today for compliance advisory solutions