The U.S. Federal Emergency Management Agency (FEMA) exposed 2.3 million disaster survivors to possible identity theft and fraud by sharing sensitive personal information with an outside company, according to an internal government watchdog.
The U.S. Department of Homeland Security's Office of Inspector General (OIG) said FEMA had shared financial records and other sensitive information of people who had participated in an emergency shelter program after being displaced by hurricanes Harvey, Irma and Maria and the California wildfires in 2017.
The Inspector General's office said FEMA had shared participants' home addresses and bank account information with the contractor, along with necessary information like their names and birthdates.
That "has placed approximately 2.3 million disaster survivors at increased risk of identity theft and fraud," the Inspector General's office said in a report. The name of the contactor was redacted.
In a statement released on Friday, FEMA spokeswoman Lizzie Litzow said the agency had found no indication to suggest survivor data had been "compromised." She said the agency has removed unnecessary information from the contractor's computer systems.
But FEMA's review only found that the contractor's computer systems had not been breached within the past 30 days because it did not keep records beyond that point, OIG said. FEMA told the watchdog it will not be able to completely resolve the problem until June 30.
It is not the first time OIG has found that FEMA has mishandled personal information. A 2015 review revealed that agency personnel at a disaster-response center in California stored disaster survivor records in open, unsecured cardboard boxes. Investigators also found the agency mishandled data in 2013.
FEMA awarded contracts to 1,660 different entities in the last fiscal year, according to federal contracting data, covering everything from food to construction equipment.
The privacy breach is likely to prompt further criticism of an agency that was stretched to its limit in the second half of 2017 as it responded to a string of record-breaking hurricanes, wildfires and other natural disasters.
In particular, FEMA struggled to deliver food and water in a timely fashion to Puerto Rico after Hurricane Maria killed nearly 3,000 people and left the island's 3.7 million residents without electricity for several months.
FEMA director Brock Long faced criticism last fall when DHS determined that he had inappropriately used government vehicles to commute between Washington and North Carolina. He resigned in February, capping an 18-month tenure during which the agency responded to more than 220 declared disasters.
