The Department of Homeland Security’s Office of Inspector General said Fema improperly shared personal records.
Survivors of hurricanes Harvey, Irma and Maria and the 2017 California wildfires were put at risk.
Fema admitted the leak but said it had found no evidence that the improperly shared data was compromised.
Authorities said Fema shared participants’ home addresses and bank account information with a third party contractor.
The survivors provided information to Fema in the course of applying for shelters. More than 20 data fields were improperly shared with the contractor, the Office of Inspector General said in a memo.
The name of the contractor was not made public.
Fema spokeswoman Lizzie Litzow said that the sensitive information had been removed from the system following a review.
“Since discovery of this issue, FEMA has taken aggressive measures to correct this error,” Ms Litzow said. “FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system.”
Fema has previously been censured for mishandling information. A 2015 review by the same government watchdog found that survivor’s records were stored at a disaster-response centre in California in open, unsecured cardboard boxes.
Hurricane Harvey hit Texas in August 2017, killing 68 people and causing about $125 billion (£95bn; €110bn) in damage. Hurricane Irma struck Florida later the same month, killing 97 and causing $50 billion in damage. Hurricane Maria killed more than 3,000 people in Puerto Rico and ravage the island.
The breach also included victims of the wildfires that swept through California in 2017, with 9,000 separate fires burning 1.2 million acres of land and killing at least 46 people.