Ransomware gang leaked Los Angeles student health records online
Health records for about 2,000 current and former Los Angeles school students have been published to the dark web following a ransomware attack last year, the school district said in a statement on Wednesday.
The “assessment records,” which could include mental health, attendance, disciplinary and academic results, were stolen in a September 2022 cyber attack, Jack Kelanic, a senior IT administrator for the district, told Reuters after an education news site posted redacted copies of purported student mental health records online.
The attacks were first widely reported last year, but the compromise of sensitive health records only came to light in recent days.
Last year, Los Angeles School Superintendent Alberto Carvalho said the Russian ransomware gang Vice Society had claimed responsibility for the hack and placed the material online in October.
According to The 74, an education focused news site, psychological evaluations containing large amounts of personally identifiable information were posted online about special education students, including their medical histories, academic performance and disciplinary records.
Ransomware attacks in recent years have impacted daily life across the world with hacks of school systems, healthcare providers and utilities damaging individual privacy and unexpectedly costing victim companies and organizations.
Cyber attacks on schools worsened after the COVID-19 pandemic forced millions of students online for virtual instruction while school systems’ technology infrastructure may not have been ready.
Los Angeles Unified, the second largest school district in the United States, said its investigation is ongoing and that it continues to assess the September 2022 cyberattack.
Kelanic told Reuters that approximately 2,000 student assessment records “have been confirmed as part of the attack.” He said 60 of the impacted students are currently enrolled and that driver’s license numbers, Social Security numbers and even positive COVID-19 results were compromised as well.
“Los Angeles Unified takes student, family and employee privacy very seriously and has been implementing enhanced protections and procedures to ensure our data security,” Kelanic said, adding they have notified some of the affected individuals and vendors.