FEMA spent nearly $650 million on sub-standard lodging for disaster survivors, violated privacy

The Golden Horseshoe is a weekly designation from Just the News intended to highlight egregious examples of wasteful taxpayer spending by the government. The ward is named for the horseshoe-shaped toilet seats for military airplanes that cost the Pentagon a whopping $640 each back in the 1980s. 

This week, our award goes to the Federal Emergency Management Agency (FEMA) for spending $642 million on five million hotel rooms for survivors of natural disasters without checking if the hotel facilities were livable, and then accidentally releasing the personal identification information of 2.3 million disaster survivors, making them susceptible to identity theft. 

In 2017, FEMA was responsible for providing Transitional Sheltering Assistance (TSA) to more than 225,000 survivors of natural disasters that included Hurricane Maria in Puerto Rico, Hurricane Harvey in Texas, Hurricane Irma in Florida, and the wildfires that raged across California.

Transitional shelters are typically hotel rooms where disaster survivors stay before temporary housing is available, or their home is safe to return to. In order to arrange the logistics of these mass-hotel stays, FEMA contracts with a company called Corporate Lodgings Consultants (CLC), which organizes and administers the government’s program by locating hotels for survivors and arranging payment for the stays.

CLC has held a government contract to fulfill these duties for 15 years, and so maintains a database of the person information of disaster survivors, as well as a network of hotels that participate in the program around the country.

The Homeland Security Department's inspector reported this month that due to the poor implementation of the terms of FEMA’s contract with CLC, some of the five million hotel rooms paid for by the government did not meet the TSA contract requirements.

When visiting a CLC hotel site in Puerto Rico, IG officials discovered that the hotel selection CLC had made did not meet the housing requirements of their contract. According to the report, one hotel in Puerto Rico “charged FEMA for storage units that did not have locking doors, furniture, or individual sanitation facilities.” American taxpayers shelled out $626,000 for that particular hotel, and nearly 200 survivors of Hurricane Maria were told to stay there. A FEMA official confirmed the agency “did not review CLC’s verification and validation process for hotels to ensure it met contract requirements.”

IG inspectors also found that FEMA’s Chief Information Officer, Chief Security Officer, and Chief Privacy Officer did not review the contract with CLC before it was granted in May of 2016, therefore failing to “finalize contract requirements, performance metrics, or reporting standards, including a Quality Assurance Surveillance Plan.”

Furthermore, the report found that, because the contract between FEMA and CLC was poorly managed, the personal identity information of 2.3 million disaster survivors was released by mistake. In 2018, the OIG recorded a privacy-related incident that was the result of the TSA database lapse. FEMA officials were notified immediately and a report entitled “FEMA Did Not Safeguard Disaster Survivors’ Personally Identifiable Information” was filed, but no corrective action ensued for the major security breach.

“Although FEMA identified deficiencies in CLC’s adherence to contract requirements, FEMA never formally addressed these weaknesses with CLC, nor did it require CLC to develop corrective actions,” the IG reported.

Additionally, the report found that in 2017, only 23.8% of FEMA employees completed a mandatory DHS privacy training. That number has steadily improved since then, but in 2019 (the last year the report tracked) still just 62.9% of FEMA employees had completed the required training, and only a single one of the 12 employees responsible for awarding and managing the TSA program had completed the training.

Hurricane season has once again arrived, and reports out of California this week imply that wildfire season has come early this year. All the while, FEMA is still failing to prioritize training and offer guidance to their own staff and the CLC staff that are responsible for successfully executing the TSA program.