FEMA data disclosure affects up to 1,000 local fire victims, group says

Up to 1,000 Sonoma County fire victims who sought temporary shelter through the Federal Emergency Management Agency had their personal data such as banking and Social Security numbers disclosed because FEMA wrongly sent a contractor that information from aid applications.

That estimate is based on figures provided by Legal Aid of Sonoma County, which put the number of Sonoma County participants in an affected FEMA shelter program at between 600 and 1,000.

The estimate comes after a federal watchdog agency reported last week that FEMA improperly and illegally shared personal data of at least 2.3 million survivors of 2017 disasters, including the California wildfires and Hurricanes Harvey, Irma and Maria.

FEMA on Wednesday could not provide its own number of how many local fire survivors were impacted because of the improper data disclosure. The agency did emphasize there was no sign that the contractor had suffered a data breach that could imperil victims’ data.

Kendall Jarvis, disaster relief attorney with Legal Aid of Sonoma County, said she has heard concerns from local fire survivors people about fraudulent activities, but it was unclear whether any of those issues were directly connected to FEMA’s disclosure. She suggested that anyone with concerns about potential identity theft or fraud should run their credit report and talk to their bank.

“If you gave account information to FEMA, you very well may want to close your account and start a new account,” Jarvis said.

The Office of Inspector General of the Department of Homeland Security, which investigated the “privacy incident,” determined FEMA violated the federal Privacy Act of 1974 as well as federal policy. In a redacted report, the watchdog released last week, investigators said the incident happened “because FEMA did not take steps to ensure it provided only required data elements” to the contractor, which has not been publicly identified.

“Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud,” the report said.

Responding to the watchdog report, FEMA said the improperly shared data has been “sanitized” from the contractor’s system and that the agency took steps to ensure it no longer shares such sensitive data through its Transitional Sheltering Assistance program.

Through the program, FEMA provides short-term lodging for disaster victims in local hotels. The agency pays for the rooms and collects information from disaster survivors but works with a contractor to actually book the rooms.

FEMA is required to share certain information, such as an applicant’s full name, date of birth and the last four digits of a Social Security number with the contractor.

But in the violation unearthed by the federal watchdog, FEMA in millions of cases shared more than 20 “unnecessary data fields” including six that contain sensitive personal data such as home addresses, Social Security numbers and banking information from aid applicants, according to the report.

The report also states that a FEMA cybersecurity team identified several “security vulnerabilities,” seven of which had not been totally fixed by the time the report was released. A FEMA offical said in a March memo that the agency received the watchdog’s draft report on Nov. 9 and confirmed the sharing of unnecessary data had stopped by Dec. 7, with the data in question removed from the contractor’s systems as of Dec. 21 - more than a month after receiving the report.

The contractor’s network activity logs only keep data for 30 days, according to the report.

FEMA on Wednesday declined to clarify whether people who qualified for the emergency hotel shelter program but never spent a night in a FEMA-funded hotel room also had their data shared with the contractor.

“That’s also the scarier piece of the puzzle, because those are the people who don’t know,” said Jarvis with Legal Aid.

FEMA spokeswoman Lizzie Litzow on Wednesday emphasized the Office of Inspector General’s finding that there was no evidence of a data breach and said the agency had “taken aggressive measures to correct this error.” Those steps included reviewing the contractor’s computer system for vulnerabilities, updating its contract to ensure compliance with Department of Homeland Security standards and instructing third-party staffers to complete federal privacy training.

“FEMA’s goal remains protecting and strengthening the integrity, effectiveness and security of our disaster programs that help people before, during, and after disasters,” Litzow said in an email, adding, “To be clear, there is no information to suggest any survivors’ data has been compromised.”

You can reach Staff Writer Will Schmitt at 707-521-5207 or will.schmitt@pressdemocrat.com. On Twitter @wsreports.