Emily Hawk reports on what has the makings of a significant breach:
A contractor used by the Oskaloosa Community School District and the Knoxville Community School District has experienced a data security incident that resulted in a breach of personal student information.
Timberline Billing Services, Inc. provides Medicaid billing and reimbursement services to both districts, including more than 190 other schools in Iowa.
On Sept. 2, Timberline informed both districts that an “unknown actor” encrypted files and removed information from their networks from Feb. 12 through March 4, 2020. According to a press release, the breach did not involve access to their internal systems or student records.
Read more on the Oskaloosa Herald. It turns out that these are not the only two school districts notified or potentially impacted, and it may be that all 190 or just some school districts had some of their former and current Medicaid-covered students impacted.
For those not familiar with where Medicaid factors in to schools, note that education records are covered under FERPA and are generally excluded from HIPAA, but there is an intersection between HIPAA and FERPA when it comes to schools. So will some or all of these districts wind up reporting this breach to HHS? We’ll see…