Highly sensitive health records, including psychological evaluations, of about 2,000 students were leaked as a result of the ransomware attack that hit the Los Angeles Unified School District last year.
The nation’s second-largest school system confirmed the potentially damaging and personal information of students was included in a massive data leak after The 74, a nonprofit news organization covering the U.S. education system, published a report detailing the trove of mental health records exposed as part of the attack.
“Approximately 2,000 student assessment records have been confirmed as part of the attack, 60 of whom are currently enrolled, as well as driver’s license numbers and Social Security numbers," Jack Kelanic, the district’s senior administrator of IT infrastructure, said in a statement. "Some of these records go back almost three decades, which creates further time-consuming analysis.”
Alberto Carvalho, the district’s superintendent, initially downplayed the impact of the leaked data after Vice Society, the prolific ransomware group behind the attack, posted about 250,000 files on the dark web.
“Based on what we have seen, there is, at this point, no evidence of widespread impact as far as truly sensitive, confidential information,” Carvalho said during a news conference in October following the release of data.
He contested reports of student psychological assessments being leaked, but said there were “outlier” cases.
Threat researchers who observed some of the data at the time said files contained personal and sensitive information on students and employees, including psychological assessments of some students.
“This is an ongoing investigation in partnership with forensic and cybersecurity experts where arduous, painstaking efforts are taking place to comb through the data, review individual pieces, determine what information was accessed, locate the impacted individuals and notify them of resources to protect themselves,” Kelanic said.
“The aftermath of a cyberattack is a multilayered, dynamic process in which real-time updates often alter the direction of an investigation,” Kelanic said. “As the district and its partners delve deeper into the reality of the data breach, the scope of the attack further actualizes and new discoveries have been revealed.”
The district notified some individuals and vendors impacted by the attack, but declined to say if the 60 current students or nearly 2,000 former students were part of those notifications.
“We have been notifying individuals as we complete reviews, but this investigation and analysis is ongoing. We will provide further information as it becomes available,” a district spokesperson said.
A data breach notice filed last month with the California Department of Justice, said “an unauthorized actor accessed and acquired certain files maintained on our servers” between July 31 and Sept. 3. The notices were sent to contractors that worked on Facilities Services Division projects.
The timeline of the breach shifted after further investigation showed the ransomware group breached the district’s systems and remained undetected for a month.
It’s not uncommon for the timeline of a cyberattack and the extent of data compromised to change upon further investigation.
“Throughout this process, information has been made public based on its availability at the time and as confirmed by both internal and external expert entities,” Kelanic said in a statement. “Ongoing legal notification is complex and made harder in many instances due to the age of files.”
The Los Angeles Unified School District is not the only California school system to have suffered data breaches of late.
A breach at the Long Beach Unified School District exposed the names, emails and ID numbers of at least 130,000 students. And a misconfigured folder containing application files for Stanford University’s economics doctorate program exposed personal information of 897 individuals.