The memo, known as a management alert and written by the Office of Inspector General of the Department of Homeland Security, said the data of survivors of the 2017 California wildfires and Hurricanes Harvey, Irma and Maria were released to an unidentified contractor.
There were no indications that the data had been compromised, the agency said in a statement Friday night. The agency said it had worked with the contractor to scrub the unnecessary data from its computer networks.
The memo, which was dated March 15 but surfaced Friday, found that 20 data fields were unnecessarily shared with the contractor, including details about the victims’ financial institutions, electronic funds transfer numbers and bank transit numbers. Investigators estimated 2.3 million people helped by FEMA might have been affected.
The victims were enrolled in a program called Transitional Sheltering Assistance, which provides hotels to people displaced by disasters. The memo said previous iterations of the program did require the kind of sensitive personal data that was overshared to be provided to a contractor but that was no longer the case.
The memo said the contractor did not alert FEMA that it was receiving more information than needed but noted that the contractor was not required to do so.
Had the contractor alerted FEMA, the agency “may have been able to remedy this situation earlier and avoid additional privacy incidents,” the memo said.
“Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud,” the memo said.
The name of the contractor was unavailable. The report redacted its name.
In a statement Friday night, the agency’s press secretary, Lizzie Litzow, acknowledged that FEMA transferred “more information than was necessary” to the contractor.
“Since discovery of this issue, FEMA has taken aggressive measures to correct this error,” the statement said. “FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system.”
A memo from FEMA to the Inspector General’s Office dated March 8 said the agency considered any “unnecessary sharing of survivor data to be a serious matter,” and it was “dedicating substantial resources” to address it.
Investigators recommended steps to ensure that future needless sharing of data was not repeated. The memo said FEMA concurred with the recommendations.
The discovery of the excessive sharing of data was made during an audit of the sheltering program. Investigators said that the audit was continuing and that additional recommendations might be included in a full audit report.
This article originally appeared in The New York Times.