Trove of LA Students’ Mental Health Records Posted to Dark Web After Cyber Hack

Detailed and highly sensitive mental health records of hundreds — and likely thousands — of former Los Angeles students were published online after the city’s school district fell victim to a massive ransomware attack last fall, an investigation by The 74 has revealed. 

The student psychological evaluations, published to a “dark web” leak site by the Russian-speaking ransomware gang Vice Society, offer a startling degree of personally identifiable information about students who received special education services, including their detailed medical histories, academic performance and disciplinary records. 

But people may be unaware their sensitive information is readily available online because Los Angeles Unified School District leaders have denied the trove of records even exists. 

Data privacy experts said the revelation highlights a gap between federal laws pertaining to sensitive health records maintained by hospitals and health insurers, which are protected by stringent data breach notification policies, and education records maintained by schools — even when the records themselves are virtually identical. Under existing federal privacy rules, school districts are not required to notify the public when students’ personal information, including medical records, is exposed. 

But keeping the extent of data breaches under wraps runs counter to schools’ mission of improving childrens’ lives and instead places them at heightened risk of harm, said school cybersecurity expert Doug Levin, the national director of the K12 Security Information eXchange. 

“It’s deeply disturbing that an organization that you’ve entrusted with such sensitive information is either significantly delaying, or even hiding the fact, that individuals had very sensitive information exposed,” Levin told The 74. “For a school system to wait six months, a year or longer before notifying someone that their information is out on the dark web and being potentially abused is a year that those individuals can’t take steps to protect themselves.” 

When Superintendent Alberto Carvalho acknowledged in early October that the cyber gang published some 500 gigabytes of stolen records to the dark web after the district declined to pay an unspecified ransom demand, he sought to downplay its effects on students. Citing “a law enforcement source familiar with the investigation” into the data breach, an early news report said the leaked files contained some students’ psychological assessments, a revelation that Carvalho called “absolutely incorrect.” 

“We have seen no evidence that psychiatric evaluation information or health records, based on what we’ve seen thus far, has been made available publicly,” said Carvalho, who acknowledged the hackers had “touched” the district’s massive student information system and had exposed a limited collection of students’ information, including their names and addresses. 

The 500 gigabytes of stolen records include tens of thousands of individual files, including scanned copies of Social Security cards, passports, financial records and other personnel files. 

The systemic release of students’ psychological assessments stolen from the Los Angeles district and published to the dark web hasn’t been previously reported. Leaked psychological evaluations use a consistent file-naming structure, allowing The 74 to isolate them from other types of district records that appear on the ransomware gang’s leak site, including those related to district contractors and files that are benign and do not contain confidential information. The 74 has independently verified that 500 students’ sensitive psychological assessments are available for download as PDF files on the Vice Society leak site, reaching a federal threshold that requires health care providers to publicly disclose data breaches involving patient health records. 

More than 2,200 PDFs — and a large swath of other document types — follow the consistent file-naming structure, suggesting the total number of leaked student psychological files is in the thousands. 

More than four months after Carvalho denied that psychological evaluations were exposed, the district’s official position hasn’t changed, and a district spokesperson said that Carvalho’s statements in October “were based on the information that had been developed at that time.”

“Los Angeles Unified is in the process of completing its review and analysis of the data posted by the criminals responsible for the cyberattack to the dark web, to identify individuals impacted and to provide any required notifications,” the district told The 74 in a statement. “Once Los Angeles Unified has completed its review and analysis of that data, Los Angeles Unified will provide an update.” 

A trove of sensitive information

The particular files posted online — students’ psycho-educational case studies — are among the most sensitive records that schools keep about children with disabilities, said Steven Catron, senior staff attorney of the Learning Rights Law Center, a Los Angeles-based nonprofit that provides free legal representation to low-income families in contentious special education disputes with their children’s school district.

The evaluations are designed to help schools assess how a student’s disabilities and other factors affect their learning. They include a comprehensive background on the child’s medical history and assessments of their cognitive, academic and emotional functioning. 

One of the reports notes that a student was placed in foster care “due to domestic violence in the home.” The student struggled with “a limited attention span” and often refused to complete his work, the report notes, and “is easily angered when he does not get his way.” Another states a student’s desire to “become a police officer so that he can ‘arrest people because they do drugs.’” A student’s father “works in a plant that makes airplane parts and speaks no English,” one report notes. “His mother is a librarian assistant and speaks a ‘little English.’” 

In some instances, the reports can include details about a family’s immigration status, sexual misconduct allegations, unfounded child abuse reports or that a student has “been hitting other children or adults in a school environment,” Catron said. Yet it’s often difficult for families to get sensitive information removed from the files even if it isn’t accurate. Now, with breached students’ records in the public domain, “who knows what is going to happen.”

“The sheer scope of information, like you’ve seen, it’s darn broad and pretty hurtful for people,” Catron said. “If those records include those types of notes, whether correct or not it can just cause a huge emotional strain for the family.” 

The files themselves note that the assessment reports “may contain sensitive information subject to misinterpretation by untrained individuals” and that the “nonconsensual re-disclosure by unauthorized individuals is prohibited” by state law. 

Available files appear to be limited to former Los Angeles students born in the late 1980s and early 1990s and are therefore unlikely to contain information about current students. Yet the age of the records highlight how potential data breach victims extend far beyond current students when districts suffer hacks, Levin, the cybersecurity expert said. Students’ sensitive information can be exposed years or even decades after they graduate if districts lack sufficient data security safeguards. 

It could also complicate any potential efforts by the district to find and notify affected individuals who could unknowingly face heightened risks including embarrassment, identity theft and extortion.

“Sometimes school districts will delay notifying until they can identify every last person that they possibly can, but that can be an expensive to impossible endeavor,” Levin said. “For a school district like LAUSD to try to track people who were associated with the district say 10 years ago, that’s a daunting task and clearly is very likely to be imperfect.”

The disclosure gap

Health care providers are held to strict data privacy rules and could face steep fines in the event of a data breach involving sensitive patient records. Agencies and businesses covered by the federal Health Insurance Portability and Accountability Act are required to publicly acknowledge health data breaches affecting 500 or more people and notify the U.S. Department of Health and Human Services “without unreasonable delay and in no case later than 60 days following a breach.” 

The school district in Broward County, Florida, recently got caught in a data breach disclosure debacle after the country’s sixth-largest school system suffered a ransomware attack in 2021 and refused to pay an extortion demand initially set at $40 million. In response, threat actors published to a dark web leak site the personal information of nearly 50,000 district personnel enrolled in its health plan. The Broward district is currently one of four K-12 school systems listed on a data breach portal maintained by the Department of Health and Human Services. The breach portal  — often referred to as the “Wall of Shame” — includes all data breaches affecting 500 or more people that were reported to the agency in the last 24 months. 

District officials in Florida sought to downplay the breach and ultimately waited 154 days — three months longer than federal rules allow — to disclose the full extent of the breach on its website, according to the South Florida Sun-Sentinel. The Broward County district didn’t respond to requests for comment but told the Sun-Sentinel it complied with the federal health privacy law. The district needed to gather and sort through a significant amount of data to determine who should be notified, a district spokesperson said. 

“That process was complex and took substantial hours,” the spokesperson said in a statement. “Under the circumstances, notification was made in an expeditious manner.” 

The Broward district is a HIPAA-covered entity because it operates a self-insured health plan. But public schools aren’t generally considered “covered entities” under the health privacy law. And even when they are, students’ education records — including including their health information — are exempt. They’re instead covered by the Family Educational Rights and Privacy Act, the federal student privacy law known as FERPA. The law prohibits student records from being released publicly but does not require schools to disclose when such breaches occur. 

“The same type of information is treated differently from a compliance standpoint depending on who is holding and maintaining that information,” said student privacy expert Jim Siegl, a senior technologist with the nonprofit Future of Privacy Forum. The federal privacy rules that apply to hospitals and schools “live in separate universes. If it’s maintained by the school, it’s FERPA. If it’s maintained by your doctor, the same information is HIPAA protected.” 

The Los Angeles school districts’ information protection policy suggests otherwise. According to the policy, the district is bound by HIPAA’s privacy rules because it provides medical services to students and retains records about the treatments they receive. “The district and its employees have access to student health information that is protected under HIPAA,” the district policy states. “Therefore, the District and its employees must comply with all relevant provisions of the HIPAA Privacy Rule.”

But the district policy is baffling and doesn’t clearly explain why it believes that students’ records are covered under the health law, Siegl said. 

“I don’t want to speculate about the logic behind LAUSD’s very unusual policy,” said Siegl, who was previously a technology architect focused on privacy and security for the Fairfax, Virginia school district. “I have not seen a similar policy from another school district in my 19 years of experience.” 

A data breach involving student’s records — like the one in Los Angeles — could be considered a FERPA violation, according to the U.S. Department of Education. 

“FERPA requires the school to maintain direct control over the records,” Siegl said. “There is a lot that goes into a FERPA violation, but I would say that within the spirit of FERPA, they did not maintain direct control over the records.” 

Yet, consequences for violating FERPA are next to nonexistent. Districts can lose federal funds if they have “a policy or practice” of releasing students’ records without parental permission, a high bar that excludes occasional violations. Since the law was enacted in 1974, it’s never been used to strip funding from a district that broke the rules. 

‘Very disturbing’

To comply with state privacy rules, the Los Angeles district has been more transparent about the systemic breach of sensitive records about distinct construction contractors. In a data breach notice posted to the state attorney general’s office website in January, the district said its investigation into the breach had uncovered certified payroll records and other labor compliance documents that included the names, addresses and Social S                                                                                                                                                                                                         ecurity numbers of district contractors. 

Asked about the school district’s notification obligations for the trove of leaked student records and whether it’s investigating the matter, a spokesperson with the attorney general’ office said in an email “we can’t comment on, even to confirm or deny, a potential or ongoing investigation,” and didn’t offer further comment. Reached for comment about the data breaches in Los Angeles and Broward County, a Department of Health and Human Services spokesperson said its civil rights division “does not typically comment on open or potential investigations,” and declined to comment further. 

The Los Angeles district has for decades struggled with its obligations to provide special education services to children with disabilities. Last year, it reached an agreement to provide compensatory services to children with disabilities after an investigation by the Education Department’s civil rights office found it had failed to provide them during the pandemic. 

Los Angeles parent Ariel Harman-Holmes, whose three children are in special education, said she’s worried the data breach could further divert funds from much-needed special education services. 

“I would rather have those funds go back into the schools and special education rather than spending a ton on litigation or settlements about privacy issues, said Harman-Holmes, who serves as vice chair district’s Community Advisory Committee for Special Education. But she acknowledged it “would be very disturbing” if her own child’s psychological evaluations were leaked online. 

“Our middle son is a very private person and this could be a psychological torment to him knowing that personal observations about him were out there,” she said. “That would be very devastating to him.”