The Los Angeles Unified School District is now admitting that the scope of its 2022 data leak due to a cyberattack was far worse than initially reported, compromising about 2,000 student assessment records as well as positive COVID test results, driver’s license numbers and Social Security numbers.
The disturbing new information was provided to the Los Angeles Daily News by Jack Kelanic, senior administrator of IT infrastructure for LAUSD, after the nonprofit newsroom The 74 published a report this week revealing that hundreds of former students’ psychological evaluations had been published on the dark web.
The leaked student psychological evaluations contain intimate details about students’ medications, diagnoses, incidents of sexual abuse, home lives, past traumas and behavioral challenges.
“This is some of the most sensitive information you could possibly have about someone that could embarrass them for the rest of their lives,” said Ariel Harman-Holmes, LAUSD parent and vice chair of the Community Advisory Committee for Special Education. “It’s extremely troubling.”
The evaluations were part of the data released by the Russian criminal syndicate Vice Society, who attempted to get a ransom from the school district for the 500 gigabytes of data they stole in a September 2022 cyber attack. When the district refused to negotiate with them the syndicate published thousands of files on the dark web on Oct. 1, 2022.
Initially, LAUSD Superintendent Carvalho painted a somewhat sunny picture of the damage, saying there was “no evidence of widespread impact, as far as truly sensitive confidential information.” He said that in early October after the district reported that it had analyzed two-thirds of the leaked data.
At the time, Carvalho was adamant that no psychological evaluations were included in the data leak.
But now, after the publication of The 74’s investigation, the district has changed its tune.
“The aftermath of a cyberattack is a multi-layered, dynamic process in which real-time updates often alter the direction of an investigation,” said LAUSD’s Kelanic in a written statement. “As the District and its partners delve deeper into the reality of the data breach, the scope of the attack further actualizes and new discoveries have been revealed.”
Kelanic gave no timeline explaining when the district discovered the additional and highly sensitive leaked information.
Legally, the district was under no obligation to disclose the data leak of the student psychological evaluations.
Although the evaluations contain medical information, they are considered school documents and are not protected by HIPAA, the laws governing the use of medical records. They are instead protected by the Family Educational Rights and Privacy Act, which unlike HIPAA does not require schools to disclose when data breaches occur.
“It isn’t surprising to me that it (the psychological evaluation leak) wasn’t initially reported,” said Tyler Hudak, a cyber security expert for TrustedSec security firm. “In my experience, most organizations are going to follow the letter of the law in terms of what they do and do not need to do.”
Kelanic said the school district has begun notifying some individuals and vendors impacted by the attack and will continue to do so as people are identified.
“Throughout this process, information has been made public based on its availability at the time and as confirmed by both internal and external expert entities,” he stated. “Ongoing legal notification is complex and made harder in many instances due to the age of files.”
The 500 psychological evaluation forms analyzed by The 74 were primarily from former students born in the late 1980s and 1990s. Kelanic also said that 60 of the leaked student assessments were those of current students.
One year in, LAUSD’s Carvalho has made many promises, what about results?
LAUSD laborers edge closer to a strike
How reading thousands of pages helped a magnet school thrive at Super Quiz
LAUSD board takes stand against gun violence, again
9 LA County schools receive state award for excellent arts education
Ryan Cloutier, president of SecurityStudio and an expert on K-12 cyber security, said he feels it is the district’s “moral obligation” to contact students whose psychological assessments were stolen.
“It could ruin careers, it could damage families, people could get fired, it could potentially increase the likelihood of self harm if they suffer some kind of mental trauma from it,” he said. “Frankly, most of us don’t want the dumb stuff we did as an angry moody teenager to be a permanent record for all the world to access.”
Lisa Mosko Barros, the former chair of the Community Advisory Committee for Special Education and a parent of two children with individualized education programs, pointed out that some of the leaked psychological assessments might contain factual inaccuracies.
“That’s really problematic,” she said.
Mosko Barros also hopes that the district will be more forthcoming with information that pertains to special education students in the future.
“Transparency, transparency, transparency,” she said. “No more stuffing things under the rug. Give us the information we need to be able to advocate for and protect our kids and to be able to give them their best lives.”