The federal agency responsible for helping Americans in need just revealed that it put millions of them in jeopardy of identity theft.

On Friday (March 22), the United States Federal Emergency Management Agency (FEMA) acknowledged a Department of Homeland Security (DHS) Office of the Inspector General report that it shared personal addresses and banking information of 2.3 million U.S. disaster survivors, an error it calls a “major privacy incident.”

Those affected were survivors of the 2017 California wildfires and Hurricanes Maria, Irma and Harvey who used FEMA’S Transitional Sheltering Assistance program, reports The Washington Post. The agency shared this information—including, in some instances, bank names and electronic funds transfer numbers—while providing information to a contractor.

According to Wired, in releasing this information, “the agency violated the Privacy Act of 1974 and Department of Homeland Security policy, and exposed survivors to identity theft.”

A DHS official, who requested anonymity, told The Post that 1.8 million people had both their banking information and addresses shared, while 725,000 people had just their addresses leaked. Currently, FEMA says it is not aware of any acts of identify theft using the information.

Reports The Post:

The Inspector General report [completed on March 15] told FEMA it needed to install controls to make sure such data would not continue to be shared with contractors and that the agency needed to assess how wide the problem was and to make sure that data in the contractor’s system was destroyed.

In the Inspector General report, FEMA said that once it became aware of the problem, the agency installed a data filter in December to prevent any unnecessary personal data of survivors from leaving its system. FEMA also said in the report that, since implementing its new procedures, it had twice sent internal security experts to conduct on-site checks of its network.

Representative Bennie Thompson (D-Miss.), chair of the House Committee on Homeland Security, told The Post, “This is unacceptable, and FEMA must demonstrate it will do better in the future. Safeguarding the information of Americans already suffering from a disaster should be of the utmost importance.”

Prior to the announcement of the data share, FEMA was under scrutiny for how it has provided aid for survivors of these disasters. For instance, in July, the agency released a report assessing how it handled Hurricane Maria in Puerto Rico. The report confirmed that much of the criticism leveled against the agency was correct, including its failure to properly distribute food and generators. It also was insufficient in its efforts to move residents into hotel rooms and in getting clean drinking water to people.

As FEMA maintains that is has fixed the process that led to the share of personal and financial data, the agency also says that it does not intend to notify those whose information was shared.