House Republicans Want FEMA to Answer for Leaking 2.3 Million Americans' Data

Department of Homeland Security personnel deliver supplies to Santa Ana community residents in the aftermath of Hurricane Maria in Guayama, Puerto Rico.

Department of Homeland Security personnel deliver supplies to Santa Ana community residents in the aftermath of Hurricane Maria in Guayama, Puerto Rico. Carlos Giusti/AP

Featured eBooks

The Government's Artificial Intelligence Reality
What’s Next for Federal Customer Experience
Cloud Smarter

Members of the Committee on Science, Space and Technology want a full briefing from FEMA brass no later than April 18.

After poor management and data controls led to 2.3 million disaster survivors’ highly sensitive information being released to a contractor, a group of Republican lawmakers are calling on officials from the Federal Emergency Management Agency to explain themselves before Congress.

Last month, a FEMA inspector general report revealed the agency had been providing more personal data than it should—including addresses, financial institutions and banking numbers—on disaster survivors looking for housing assistance through the agency’s Transitional Sheltering Assistance program.

“A privacy incident occurred because FEMA did not ensure it shared with the contractor only the data elements the contractor requires,” according to a management alert sent to acting FEMA Administrator Pete Gaynor. “FEMA provided and continues to provide [the contractor] with more than 20 unnecessary data fields for survivors participating in the TSA program.”

Nine members of the House Committee on Science, Space and Technology, including ranking member Frank Lucas, of Oklahoma, sent a letter Thursday to Gaynor requesting a briefing no later than April 18 that goes into “specific details” about why this happened, the impact to affected citizens and the agency’s plans to prevent this from happening again.

Officials should also be prepared for a quiz on the National Institute for Standards and Technology’s Cybersecurity Framework, which outlines how agencies are meant to protect personally identifiable information, or PII.

“The privacy incident at FEMA is particularly concerning to the committee, as this sensitive information can be used to prey upon individuals in a variety of ways, including identity theft, fraud, targeted scams and spearphishing,” the letter reads. “Disaster survivors, as they navigate the significant amount of paperwork and logistics required to apply for assistance, pay medical bills and find temporary lodging, are particularly vulnerable to these schemes,” something of which FEMA officials are well aware, lawmakers note.

Committee members also expressed concern that these kinds of privacy violations “may undermine survivors’ confidence in their ability to safely and securely share their personal information with FEMA.” And if citizens aren’t willing to work with FEMA, then the agency will fail in its mission to support the public in the wake of disasters.

“FEMA is in receipt of the letter from the House Science, Space, and Technology Committee members and will work with the committee, and other Congressional partners, with regards to their requests on this topic,” a FEMA spokesperson told Nextgov.

“Survivors of natural disasters are in an especially vulnerable position,” signatory Rep. Jenniffer Gonzalez-Colon, R-Puerto Rico, said in a statement. “In the case of Puerto Rico, hundreds of thousands of my constituents lost a great deal—some lost all of their belongings. … To think that their personal information was compromised by failure to employ safe and measured data sharing practices is unacceptable.”

Editor's Note: This story has been updated to include comment from FEMA.