Mark Keierleber reports:
Detailed and highly sensitive mental health records of hundreds — and likely thousands — of former Los Angeles students were published online after the city’s school district fell victim to a massive ransomware attack last year, an investigation by The 74 has revealed.
The student psychological evaluations, published to a “dark web” leak site by the Russian-speaking ransomware gang Vice Society, offer a startling degree of personally identifiable information about students who received special education services, including their detailed medical histories, academic performance and disciplinary records.
But people are likely unaware their sensitive information is readily available online because the Los Angeles Unified School District hasn’t alerted them, a district spokesperson confirmed, and leaders haven’t acknowledged the trove of records even exists. In contrast, the district publicly acknowledged last month that the sensitive information of district contractors had been leaked.
Read more at The 74.
Mark is singing my tune about the failure to inform people that their sensitive personal information has been leaked or dumped publicly by criminals. There is no requirement under FERPA for schools to notify students or their parents of this, and there should be.
There needs to be regulations or laws requiring entities from all sectors to notify individuals directly, and when that is not possible or feasible, to use media press releases and substitute notices to alert people when a data breach has resulted in the public leak or dumping of sensitive personal information.
Vice Society is not the only ransomware group that has dumped sensitive student data. If colleges find sensitive reports, will it impact students’ chances of getting into college? Will it impact their chances of getting jobs? And how can they take steps to protect their records and reputation if the entity responsible for securing their information does not even tell them that their data have been leaked?