From OIG’s report, released March 15:
Results in Brief
During our ongoing audit of the Federal Emergency Management Agency’s (FEMA) Transitional Sheltering Assistance (TSA) program, we determined that FEMA violated the Privacy Act of 19741 and Department of Homeland Security policy2 by releasing to 
the PII and SPII of 2.3 million survivors of hurricanes Harvey, Irma, and Maria and the California wildfires in 2017.3 FEMA should only provide 
with limited information needed to verify disaster survivors’ eligibility for the TSA program. The privacy incident4 occurred because FEMA did not take steps to ensure it provided only required data elements to 
Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud.