LA School District Confirms Student Data Leaked in AttackAdmission Comes After Release of Report Finding Sensitive Records on Dark Web Site
The Los Angeles Unified School District confirmed that records containing mental health data and other sensitive information of about 2,000 students were among data leaked in a ransomware attack last fall by Russian hacking group Vice Society.
The LAUSD's Wednesday statement followed a report published that day by nonprofit investigative news outlet The 74, which found posted on the Vice Society dark web site a data dump of records including psychological assessments of hundreds of L.A. school district students dating back to the 1980s.
The leaked data includes the personal identifiable information of students who received special education services, including records of their detailed medical histories, academic performance and disciplinary actions.
The school district's last report to state authorities in January said that its ransomware incident had only compromised files containing information of some district contractors and subcontractor employees.
In a statement provided to Information Security Media Group, the school district says an assessment of the September 2022 attack is still continuing.
"This is an ongoing investigation in partnership with forensic and cybersecurity experts where arduous, painstaking efforts are taking place to comb through the data, review individual pieces, determine what information was accessed, locate the impacted individuals and notify them of resources to protect themselves," said Jack Kelanic, LAUSD senior administrator of IT infrastructure.
"The aftermath of a cyberattack is a multilayered, dynamic process in which real-time updates often alter the direction of an investigation," he said.
Approximately 2,000 student assessment records have been confirmed as part of the attack, 60 of whom are currently enrolled, as well as driver's license numbers and Social Security numbers.
"Some of these records go back almost three decades, which creates further time-consuming analysis. Our review has also revealed positive COVID-19 test results were part of the breach. Further analysis is ongoing."
The LAUSD incident is provoking close observers to ask why decades-old records were vulnerable to such a hacking incident - and whether the district even needed to retain such records in the first place.
"Entities should regularly review their retention policies and make sure that they are not keeping sensitive information just because," says privacy attorney Kirk Nahra of the law firm WilmerHale.
Any organization storing individuals' sensitive information should carefully assess the risks involving older legacy data, says Dror Liwer, co-founder of security firm Coro. "While we are all taught that data is an asset, unencrypted personally identifiable information is a massive liability, not an asset," he said.
The LAUSD breach also shines a spotlight on gaps in federal privacy laws. Under HIPAA, a covered entity experiencing a breach of protected health information affecting 500 or more people must report the incident to federal regulators within 60 days and notify affected individuals.
But those same breach reporting and notification breach requirements do not apply to student records - including most health information.
According to Department of Education guidance, federal regulators do not have the authority to require that agencies or institutions issue a direct notice to a parent or student upon an unauthorized disclosure of education records.
Nahra says he's "reasonably sure" the compromised student data in the LAUSD breach does not include HIPAA records.
Even if a school is covered by both federal student privacy regulations and HIPAA, the former wins, says privacy attorney Iliana Peters of the law firm Polsinelli. Educational records are "specifically excepted from the HIPAA definition of protected health information," she says.
Nonetheless, when health records fall through federal regulations, "there definitely are certain state laws" that require notification when health-related information is compromised, Nahra says.