Trove of L.A. students’ mental health records posted to dark web after cyber hack
Mark Keierleber | February 22, 2023
Your donation will help us produce journalism like this. Please give today.
Update: After this story published, the Los Angeles school district acknowledged in a statement that “approximately 2,000” student psychological evaluations — including those of 60 current students — had been uploaded to the dark web.
Detailed and highly sensitive mental health records of hundreds — and likely thousands — of former Los Angeles students were published online after the city’s school district fell victim to a massive ransomware attack last year, an investigation has revealed.
The student psychological evaluations, published to a “dark web” leak site by the Russian-speaking ransomware gang Vice Society, offer a startling degree of personally identifiable information about students who received special education services, including their detailed medical histories, academic performance and disciplinary records.
But people are likely unaware their sensitive information is readily available online because the Los Angeles Unified School District hasn’t alerted them, a district spokesperson confirmed, and leaders haven’t acknowledged the trove of records even exists. In contrast, the district publicly acknowledged last month that the sensitive information of district contractors had been leaked.
Cybersecurity experts said the revelation that student psychological records were exposed en masse and a lack of transparency by the district highlight a gap in existing federal privacy laws. Rules that pertain to sensitive health records maintained by hospitals and health insurers, which are protected by stringent data breach notification policies, differ from those that apply to education records kept by schools — even when the files themselves are virtually identical. Under existing federal privacy rules, school districts are not required to notify the public when students’ personal information, including medical records, is exposed.
But keeping the extent of data breaches under wraps runs counter to schools’ mission of improving children’s lives and instead places them at heightened risk of harm, said school cybersecurity expert Doug Levin, the national director of the K12 Security Information eXchange.
“It’s deeply disturbing that an organization that you’ve entrusted with such sensitive information is either significantly delaying — or even hiding — the fact that individuals had very sensitive information exposed,” Levin said. “For a school system to wait six months, a year or longer before notifying someone that their information is out on the dark web and being potentially abused is a year that those individuals can’t take steps to protect themselves.”
In a January report, the federal Cybersecurity and Infrastructure Security Agency warned that school districts were being targeted by cyber gangs “with potentially catastrophic impacts on students, their families, teachers and administrators.” Threats became particularly acute during the pandemic as schools grew more reliant on technology. The number of publicly disclosed cybersecurity incidents affecting schools has grown from 400 in 2018 to more than 1,300 in 2021, according to the federal agency.
When L.A. schools Superintendent Alberto Carvalho acknowledged in early October that the cyber gang published some 500 gigabytes of stolen records to the dark web after the district declined to pay an unspecified ransom demand, he sought to downplay its effects on students. An early news report said the leaked files contained some students’ psychological assessments, citing “a law enforcement source familiar with the investigation.” Carvalho called that revelation “absolutely incorrect.”
“We have seen no evidence that psychiatric evaluation information or health records, based on what we’ve seen thus far, has been made available publicly,” said Carvalho, who acknowledged the hackers had “touched” the district’s massive student information system and had exposed a limited collection of students’ records, including their names and addresses.
The 500 gigabytes of stolen records include tens of thousands of individual files, including scanned copies of adults’ Social Security cards, passports, financial records and other personnel files.
The systemic release of students’ psychological assessments stolen from the Los Angeles district and published to the dark web hasn’t been previously reported. Leaked psychological evaluations use a consistent file-naming structure, allowing a reporter to isolate them from other types of district records that appear on the ransomware gang’s leak site, including those related to district contractors and files that are benign and do not contain confidential information. The 74 and LA School Report have independently verified that 500 students’ sensitive psychological assessments are available for download as PDF files on the Vice Society leak site, reaching a federal threshold that would require health care providers to publicly disclose such a data breach if it involved patient health records.
More than 2,200 PDFs — and a large swath of other document types — follow the consistent file-naming structure, suggesting the total number of leaked student psychological files is in the thousands. The records are at least a decade old and while they don’t appear to contain information about current students, they do contain highly personal information about former LAUSD students who are now in their 20s and 30s.
In early October, Carvalho said that people would be contacted if their information got exposed in the data breach, assuring them, “No news is good news.” By that point, Carvalho said, school district and law enforcement analysts had already reviewed about two-thirds of the data leaked on the dark web.
Now, more than four months after the schools chief denied that psychological evaluations were exposed, the nation’s second-largest school district has not changed its position publicly. A district spokesperson said that Carvalho’s statements in October “were based on the information that had been developed at that time” and that the review was still ongoing.
“Los Angeles Unified is in the process of completing its review and analysis of the data posted by the criminals responsible for the cyberattack to the dark web, to identify individuals impacted and to provide any required notifications,” the district said in a statement. “Once Los Angeles Unified has completed its review and analysis of that data, Los Angeles Unified will provide an update,” to affected individuals and the public.
‘Huge emotional strain for the family’
The particular files posted online — students’ psycho-educational case studies — are among the most sensitive records that schools keep about children with disabilities, said Steven Catron, senior staff attorney of the Learning Rights Law Center, a Los Angeles-based nonprofit that provides free legal representation to low-income families in special education disputes with their children’s school district.
The evaluations are designed to help schools assess how a student’s disabilities and other factors affect their learning. They include a comprehensive background on the child’s medical history, observations on their home and family life, and assessments of their cognitive, academic and emotional functioning.
One of the reports notes that a student was placed in foster care “due to domestic violence in the home.” The student struggled with “a limited attention span” and often refused to complete his work, the report notes, and “is easily angered when he does not get his way.” Another states a student’s desire to “become a police officer so that he can ‘arrest people because they do drugs.’” A student’s father “works in a plant that makes airplane parts and speaks no English,” one report notes. “His mother is a librarian assistant and speaks a ‘little English.’”
In general, Catron said, such reports can include details about a family’s immigration status, sexual misconduct allegations, unfounded child abuse reports or that a student has “been hitting other children or adults in a school environment.” Yet it’s often difficult for families to get sensitive information removed from the files, he said, even if it isn’t accurate. Now, with breached student records of this nature in the public domain, “who knows what is going to happen.”
“The sheer scope of information, like you’ve seen, it’s darn broad and pretty hurtful for people,” Catron said. “If those records include those types of notes, whether correct or not, it can just cause a huge emotional strain for the family.”
The files themselves note that the assessment reports “may contain sensitive information subject to misinterpretation by untrained individuals” and that the “nonconsensual re-disclosure by unauthorized individuals is prohibited” by state law.
Available files appear to be limited to former Los Angeles students born primarily in the late 1980s and 1990s. The age of the records highlight how potential data breach victims extend far beyond current students when districts suffer hacks, Levin, the cybersecurity expert, said. Students’ sensitive information can be exposed years or even decades after they graduate if districts lack sufficient data security safeguards.
The timeline could also complicate any potential efforts by the district to find and notify affected individuals who could unknowingly face heightened risks including embarrassment, identity theft and extortion.
“Sometimes school districts will delay notifying until they can identify every last person that they possibly can, but that can be an expensive to impossible endeavor,” Levin said. “For a school district like LAUSD to try to track people who were associated with the district say 10 years ago, that’s a daunting task and clearly is very likely to be imperfect.”
The disclosure gap
Health care providers are held to strict data privacy rules and could face steep fines in the event of a data breach involving sensitive patient records. Agencies and businesses covered by the federal Health Insurance Portability and Accountability Act are required to publicly acknowledge health data breaches affecting 500 or more people and notify the U.S. Department of Health and Human Services “without unreasonable delay and in no case later than 60 days following a breach.”
The Broward County, Florida, school district recently got caught in a data breach disclosure debacle after the country’s sixth-largest school system suffered a ransomware attack in 2021 and refused to pay an extortion demand initially set at $40 million. In response, threat actors published to a dark web leak site the personal information of nearly 50,000 district personnel enrolled in its health plan. The Broward district is currently one of four K-12 school systems listed on a data breach portal maintained by the Department of Health and Human Services. The breach portal — often referred to as the “Wall of Shame” — includes all data breaches affecting 500 or more people that were reported to the federal agency in the last 24 months.
District officials in Florida ultimately waited 154 days — three months longer than federal rules allow — to disclose the breach’s full extent on its website, according to the South Florida Sun-Sentinel. In a statement, a district spokesperson said the school system “worked diligently to investigate the incident.” Once officials realized that records related to the district’s self-insured health plan were breached, notifications to affected personnel and the federal health administration “required the gathering and sorting of significant amounts of data in order to determine the individuals to be notified.”
“That process was complex and took substantial hours,” the spokesperson said. “Under the circumstances, notification was made in an expeditious manner.”
The Broward district is a HIPAA-covered entity because it operates a self-insured health plan. But public schools aren’t generally considered “covered entities” under the health privacy law. And even when they are, students’ education records — including their health information — are exempt. They’re instead covered by the Family Educational Rights and Privacy Act, the federal student privacy law known as FERPA. The law prohibits student records from being released publicly but, unlike HIPAA, does not require schools to disclose when such breaches occur.
“The same type of information is treated differently from a compliance standpoint depending on who is holding and maintaining that information,” said student privacy expert Jim Siegl, a senior technologist with the nonprofit Future of Privacy Forum. The federal privacy rules that apply to hospitals and schools “live in separate universes. If it’s maintained by the school, it’s FERPA. If it’s maintained by your doctor, the same information is HIPAA protected.”
A small subset of Los Angeles students’ health records are covered by HIPAA, the LAUSD district spokesperson said, but the psychological assessments are not. A data breach involving student’s records — like the one in Los Angeles — could be considered a FERPA violation, according to the U.S. Department of Education.
“FERPA requires the school to maintain direct control over the records,” Siegl said. “There is a lot that goes into a FERPA violation, but I would say that within the spirit of FERPA, they did not maintain direct control over the records.”
Yet, consequences for violating FERPA are next to nonexistent. Districts can lose federal funds if they have “a policy or practice” of releasing students’ records without parental permission, a high bar that excludes occasional violations. Since the law was enacted in 1974, it’s never been used to strip funding from a district that broke the rules.
‘A psychological torment’
To comply with state privacy rules, the Los Angeles district has been more transparent about the systemic breach of sensitive records about distinct construction contractors. In a data breach notice posted to the California state attorney general’s office website in January, the district said its investigation into the breach had uncovered certified payroll records and other labor compliance documents that included the names, addresses and Social Security numbers of district contractors.
The data breach notice also made clear that cyber criminals had infiltrated the district’s computer network more than a month earlier than initially disclosed. Carvalho said in October that district cybersecurity officials were quick to detect the unauthorized access and, “in a very, very unique way, we stopped the attack midstream.”
The district spokesperson said LAUSD is working to determine whether any of the breached files are considered “medical information” under state law and whether a notification is required. Any data breach alert to the state attorney general’s office would coincide with notifications to affected individuals, the spokesperson said.
Asked about the school district’s notification obligations for the trove of leaked student psychological records and whether it’s investigating the matter, an AG’s office spokesperson said in an email “we can’t comment on, even to confirm or deny, a potential or ongoing investigation,” and didn’t offer any other information. Reached for comment about the data breaches in Los Angeles and Broward County, a federal Department of Health and Human Services spokesperson said its civil rights division “does not typically comment on open or potential investigations,” and declined to say anything further.
The Los Angeles district has for decades struggled with its obligations to provide special education services to children with disabilities. Last year, it reached an agreement to provide compensatory services to children with disabilities after an investigation by the U.S. Education Department’s civil rights office found it had failed to provide them during the pandemic. Parents and advocates said last month many children are still waiting for those services.
Los Angeles parent Ariel Harman-Holmes, whose three children are in special education, said she’s worried the data breach could further divert funds from those much-needed special education services.
“I would rather have those funds go back into the schools and special education rather than spending a ton on litigation or settlements about privacy issues,” said Harman-Holmes, who serves as vice chair of the district’s Community Advisory Committee for Special Education. But she acknowledged it “would be very disturbing” if her own child’s psychological evaluations were leaked online.
“Our middle son is a very private person and this could be a psychological torment to him knowing that personal observations about him were out there,” she said. “That would be very devastating to him.”
Help us report on the LAUSD ransomeware attack:
Are you a former Los Angeles Unified School District student in special education who may have been a data breach victim? Please click here to share your story with investigative reporter Mark Keierleber.