A “major privacy breach” at Federal Emergency Management Agency (FEMA) shared information with a contractor – including banking details – on more than two million Americans who were victims of disaster, according to the Department of Homeland Security (DHS) Office of the Inspector General. 

FEMA overshared the personal information on survivors of three hurricanes – Maria, Harvey and Irma – and the 2017 California wildfires who used FEMA’s Transitional Sheltering Assistance. 

“We believe this oversharing has impacted approximately 2.5 million disaster survivors,” a DHS official told the Washington Post, stressing the agency didn’t “have any information that it has been compromised in a detrimental fashion.”

A DHS spokesperson told the Post that FEMA had taken “aggressive action” to bolster privacy and prevent another incident, including installing a data filter to keep information from leaving its systems, limiting the data shared with the contractor and assessing the security of the contractor’s systems. 

“The recent disclosure by FEMA suggests that it is well past time for the U.S. government to take a federal data privacy standard seriously,” said Ping Identity CCIO Richard Bird. 

Contending that “FEMA had an obligation to take every step necessary to protect the victims of natural disaster from being victimized twice,” Bird said, “The suggestion that the contractor with whom they engaged had an opportunity to alert FEMA to this excessive amount of private information sharing is tone deaf.”

The incident, he said, underscores the need for a national privacy law. “We have to question why our government has continuously refused to address a set of national data and identity security laws,” Bird said. “The piecemeal approach happening state by state will create no safety net for our citizens.”