FEMA overshares survivor information with contractor

Survivors using the Transitional Sheltering Assistance Program from FEMA may soon get a letter from FEMA about private information being overshared. (MGN)

WASHINGTON, D.C. (WJHG/WECP) - Some people who were impacted by Hurricane Michael and received help from FEMA may have had their private information shared.

FEMA released a statement earlier this month saying in March the Department of Homeland Security Office of the Inspector General reported FEMA unnecessarily overshared personally identifiable information of some disaster survivors with its contractor supporting its Transitional Sheltering Assistance (TSA) Program. This program helped Hurricane Michael survivors find shelter in local hotels and motels after the storm for six months.

FEMA says it acted quickly to quarantine, protect, and permanently remove the overshared information from the contractor's system.

"While we regret this error, the agency will continue to assure disaster survivors that it has not found any evidence that any of the overshared information was compromised. Out of an abundance of caution, FEMA will provide credit monitoring services for a period of 18 months to affected survivors who request the service," the FEMA website reads.

If your information was overshared by FEMA, a letter was sent out on September 3rd. The letter includes instructions on how to register for free credit monitoring. Here's what the letter looks like:

"Dear Survivor,

"I am writing to inform you of a privacy incident involving the Federal Emergency Management Agency’s (FEMA) overshare of disaster survivor information with a contractor that supports FEMA’s Transitional Sheltering Assistance (TSA) program. You are receiving this notification because you are listed as someone who was affected by a Presidentially-declared disaster and were eligible for assistance through this program. We have determined that your personal information was impacted by this privacy incident.

"The TSA program provides hotel accommodations for disaster survivors who are not able to return home for an extended period following a disaster. FEMA relies on contractor assistance to administer the program, which involves payment directly to lodging providers. A version of FEMA assistance necessitated sharing banking and address information with the contractor to reimburse disaster survivors directly for hotel and lodging costs, rather than paying lodging providers directly. As FEMA has not activated that program since 2008, the sharing of survivor banking and home address information with the contractor ceased to be necessary. However, FEMA continued to share the same level of information previously required. This resulted in an oversharing of survivor information.

"What happened?
"During the course of an ongoing audit of FEMA’s TSA program conducted by the Department of Homeland Security’s (DHS) Office of Inspector General (OIG), it was discovered that FEMA shared more than the required personally identifiable information (PII) of disaster survivors, to include sensitive PII (SPII), with a FEMA contractor. This overshared SPII included disaster survivors’ banking and home address information.

"What information was compromised?
"The overshared data included survivor banking and address information, which was no longer necessary because FEMA provided payments directly to hotels through the contractor, instead of reimbursement to survivors. FEMA conducted its own extensive review of the incident and determined that it overshared the address information of 2.5 million individuals with the contractor. Additionally, of the total 2.5 million impacted individuals, approximately 1.8 million individuals also had their banking information overshared with the contractor. FEMA believes any Individual Assistance (IA) applicant who shared their address and banking information at the time they registered for FEMA assistance since 2008, and were eligible for TSA, may have had their information transferred to the contractor.

"What has/is FEMA doing to rectify this incident?
"FEMA takes personal privacy very seriously. We are working to protect the information of disaster survivors and prevent similar incidents from occurring in the future. Notification letters are being sent to those who were affected by the overshare of SPII. All individuals affected by this privacy incident are being offered 18 months of free credit monitoring and identity protection services. FEMA also established a webpage at www.fema.gov/survivor-privacy-incident to provide notice to individuals along with remediation options. In addition, FEMA took the following actions after identifying this error:

-Permanently deleted previously-overshared PII and SPII from the contractor’s computer system.
-Immediately changed our data-sharing process and only share the minimum amount of data necessary for our contractor to run the TSA program.
-Conducted a security assessment of the contractor computer system and determined there was no evidence that disaster survivor information had been compromised.

"What do I need to do?
"FEMA has not found any evidence that your overshared PII or SPII was compromised. However, in order to minimize any potential risk, FEMA has arranged to have MyIDCare provide credit monitoring services to protect your identity for eighteen (18) months at no cost to you. You may sign up via phone at 1-833-300-6934 or online at the following web page, using the redemption code at the upper right-hand corner of the first page of this letter: https://ide.myidcare.com/emergencylodgingIPS

"You can also visit www.fema.gov/survivor-privacy-incident or speak directly with an individual about this matter by calling 1-833-300-6934, Monday through Saturday, 9:00 a.m. through 9:00 p.m., Eastern Standard Time (EST). We will be able to answer your questions about what happened and provide you with information on how you can monitor the security of your personal information.

"What else can you do to protect yourself?
"You may obtain a free credit report by contacting AnnualCreditReport.com or by calling 1-877-322-8228. You may also contact the three major credit bureaus below regarding credit freezes and credit reports:

Experian.com
P.O. Box 9554
Allen, TX 75013
1-888-397-3742

Equifax.com
P.O. Box 105069
Atlanta, GA 30348-5069
1-800-525-6285

TransUnion.com
Fraud Victim Assistance Department
P.O. Box 2000
Chester, PA 19016
1-800-680-7289

"Review your free credit report carefully. If you find errors, take these steps:

-Explore if a credit freeze is right for you. You have the right to put a credit freeze, also known as a security freeze, on your credit file, so that no new credit can be opened in your name without the use of a PIN number that is issued to you when you initiate a freeze. A credit freeze is designed to prevent anyone from accessing your credit report without your consent. If you place a credit freeze, potential creditors and other third parties will not be able to access your credit report unless you temporarily lift the freeze. Therefore, using a credit freeze may delay your ability to obtain credit. By law, you cannot be charged to place or lift a credit freeze on your credit report. Should you wish to place a credit freeze, please contact all three major consumer reporting agencies.
-You also have the right to place an initial or extended fraud alert on your file at no cost. An initial fraud alert lasts 1-year and is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting 7 years. Should you wish to place a fraud alert, please contact any one of the agencies. The agency you contact will then contact the other two credit agencies.
-Dispute any errors you find yourself. You don’t need to use a credit repair service. By law, consumer reporting agencies and the creditors that provide the information in your credit report are responsible for correcting inaccurate or incomplete information in your report.
-If errors on your credit report seem to be the result of someone stealing your identity, go to identitytheft.gov to get personalized steps to report and recover from identity theft.

"FEMA takes very seriously the obligation to serve disaster survivors and is committed to protecting the information entrusted to us. We sincerely apologize for any inconvenience this may have caused. Please be assured that we will make every effort to ensure this does not happen again in the future. Our goal remains protecting and strengthening the integrity, effectiveness, and security of our programs that help people before, during, and after disasters."

For more information on the privacy incident, visit FEMA's website about the incident.

Copyright 2019 WJHG. All rights reserved.