WASHINGTON – FEMA improperly shared the personal data of some 2.3 million victims from four major 2017 disasters, a government watchdog report concluded.
The agency’s misstep has put the survivors of Hurricanes Harvey, Irma and Maria and the California wildfires “at increased risk of identity theft and fraud,” according to the report from John V. Kelly, acting Inspector General for the Homeland Security Department.
FEMA is a division of Homeland Security.
Related: Brock Long, who oversaw Trump administration’s response to Hurricane Maria, resigns as FEMA chief
Related: Mostly positive FEMA reports under Obama removed
The breach occurred because proper safeguards were not taken for disaster victims who participated in FEMA’s program to provide transitional shelter to survivors left homeless, often placing them in hotels and other temporary lodging arrangements, the report said.
The 13 types of information compromised included full names, birth dates, partial social security numbers, addresses and financial information, including applicants’ bank transfer details. The data was provided to a private contractor managing the transitional shelter program.
The report, initially submitted to FEMA March 15, was publicly released Friday.
For those who survived the disasters, the disclosure wasn’t well received.
“Mistakes can be made, but the people in Sonoma County have been through so much and this just heaps another worry on them,” Sonoma Mayor Amy Harrington told USA TODAY. “The idea that these people have to worry about ID theft is just unfair.”
The disclosure came just as rebuilding disasters in Florida and California continues, with some families still in temporary housing.
“The last thing you need when you’re trying to rebuild your home and your life is impact to your credit,” said Jeff Okrepkie, a fire victim in Santa Rosa, California. “To worry about this now feels completely unnecessary and is kind of scary, to be honest.”
Darlene Izzo, who received FEMA aid for transitional shelter after Hurricane Irma wrecked her family home in Fort Myers, Florida, said the breach is comes as another blow.
“It’s already bad enough with what you’ve been through with the hurricane,” she said. “To think now that our information is being released is very upsetting.”
In a March 8 letter to Kelly included in the audit, FEMA Associate Administrator Joel Doolin acknowledged the breach and said the agency “has taken aggressive action to mitigate the issues raised within this report.”
Doolin’s letter says the agency “acted immediately to stop the flow of excess data” of personally sensitive information as soon as it received the Inspector General’s draft report in November.
The contractor was not identified in the report because it was redacted.
Although not required to do so, the contractor could have alerted FEMA that they were receiving unnecessary personal information and the agency “may have been able to remedy this situation earlier and avoid additional privacy incidents,” the report said.
The four disasters in 2017 left tens of thousands across several states and U.S. territories homeless and caused billions in damage.
Hurricane Harvey caused massive flooding in Texas. Hurricane Irma walloped the Gulf Coast of Florida. Hurricane Maria devastated Puerto Rico and the U.S. Virgin Islands. The California wildfires – about 9,000 of them – scorched more than 1 million acres in the state.
Of the information that was disclosed, bank data might have been the most damaging.
“Oh, that’s not good, that’s pretty much all you need to transfer funds into or out of a bank account,” said Okrepkie, who started a non-profit group called Coffey Strong to help his Coffey Park neighborhood victims stay connected in the rebuilding effort.
So far, 193 homes have been completed, with some 700 more expected to come online this summer. “This is really, really frustrating to hear.”
Okrepkie said that news of the FEMA data disclosure is sure to set back many of those still trying to rebuild.
“It’s disappointing and disheartening to say the least,” he said. “Enrolling in FEMA was an essential part of recovery in the aftermath of the fires. The fires hit, and you immediately heard: ‘Apply for FEMA help, apply for Red Cross help.’ Everyone did it. So to see this happen is frustrating because they’ve compromised information of people already in a financially precarious position due to recovery.”
Pamela Van Halsema, whose family of five lost their Santa Rosa home, said she is worried her information is among the compromised reports.
“What stings me about this is it’s hitting the most vulnerable people in our country,” said Van Halsema. “Those people who survived a terrible disaster often didn’t have the recourses to find another place to say, no social network, insurance or money in the bank. So they had to rely on FEMA for a hotel or trailer. So for them to have this as an additional harm put upon them is too much.”
She adds that she believes in “having a government that provides social supports and services, but not one that’s playing fast and loose with our private information. We need to trust people in these vulnerable moments, and now worry that they’re going to outsource these (rebuilding) jobs to someone who might not be so scrupulous about our data.”
In Florida, Izzo said she had a bad experience with a contractor who said he was certified through FEMA, but she later found out he was not. The contractor did a terrible job, she said. They lost money and had to hire another contractor to correct the mistakes, she said.
She said she’s now concerned about what she’ll have to prepare for going forward. She said she wonders what information could have been released because the application required so much private information, and worries she’ll be more susceptible to identity theft and fraudulent accounts being opened in her name.
“That’s one extra burden on us, to worry about what is going to happen with our personal information,” she said. “We still don’t have our roof fixed. When does this ever end?”
Contributing: Brooke Baitinger,John Fritze, Marco della Cava