We rank vendors based on rigorous testing and research, but also take into account your feedback and our commercial agreements with providers. This page contains affiliate links.
Disclosure:
Professional Reviews

vpnMentor contains reviews that are written by our community reviewers. These take into consideration the reviewers’ independent and professional examination of the products/services.

Ownership

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, which may be reviewed on this website.

Affiliate Commissions Advertising

vpnMentor contains reviews that follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will take into consideration the independent, honest and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, at no additional cost to them. On listicle pages, we rank vendors based on a system that prioritizes the reviewer’s examination of each service, but also considers feedback received from our readers and our commercial agreements with providers.

Reviews Guidelines

The reviews published on vpnMentor are written by community reviewers that examine the products according to our strict reviewing standards. Such standards ensure that each review prioritizes the independent, professional and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website.

Personal Data of Thousands of Special Needs Children Exposed Online

Personal Data of Thousands of Special Needs Children Exposed Online
Author Image Jeremiah Fowler
Jeremiah Fowler Published on 21st March 2023 Cybersecurity researcher

Security researcher Jeremiah Fowler recently discovered and reported to vpnMentor a non-password protected database that contained nearly 50,000 records. The publicly exposed documents were invoices belonging to a special education and behavioral health service provider for school children.

Upon further research it was identified that the records referenced a company called Encore Support Services that has offices in New York, New Jersey, and Michigan, USA. The invoices exposed contained the students’ name and address, parent’s name, the students’ OSIS number, the service provider’s name, and more. OSIS stands for Open Student Information System and is a nine-digit number that is issued to all students who attend a New York City public school. The invoices also contained the vendor’s information, EIN / SSN tax identification and billing hours from the detailed vendor payment requests. The cost of the services ranged from $150-$170 an hour and would be paid or reimbursed by the Department of Education.

These services were provided according to the students’ diagnosis. The invoices contained a “Service Type” field with different codes that could potentially indicate why they were receiving special needs services or identify medical data about students. These records were publicly exposed, without password protection in place or encryption, to anyone with an internet connection. The personally identifiable information (PII) of children shouldn’t have been publicly accessible and I do not know if this data exposure could be considered a potential HIPAA violation. HIPAA is the acronym for the Health Insurance Portability and Accountability Act, a federal law that provides national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

What the database contained:

  • Number of Records Exposed: 47,192 items totaling 6.74 GB.
  • Invoices from Encore Support Services submitted to the Impartial Hearing Order Implementation Unit, Division of Specialized Instruction and Student Support Special Education Office of New York.
  • Each record contained the student’s unique NYC DOE OSIS number. This is a nine-digit number that is issued to all students who attend a New York City public school. The number is used on the student's ID card and transcripts.
  • Codes for services provided that indicate a disability. Notes on whether the services were provided at the student’s home or school. The home services contain the names and addresses of the parents.
  • Records go back as far as 2018 with some students having used the services for multiple years.

The risks of this kind of data exposure

When personally identifiable information (PII) is exposed online there is always a risk it could be used for nefarious purposes. Children are extremely vulnerable because they depend on their parents or guardians to protect their personal information and have little control over their private data or how that data will be used. Using social engineering a criminal could hypothetically contact the parent and pretend to be an Encore Support Services employee or school representative and simply say, “We are updating our records and need your child’s social security number (SSN) or other information. They could also say there is a small payment due and request a credit card number”. The parent would have no reason to doubt the fraudster because they would know case numbers, therapy history, the student’s ID or OSIS number, and other insider information.

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. It should be noted that I did not see any social security number in the invoices and only provide this scenario as a real world example of how criminals could obtain additional information. Child identity theft is a serious issue that could impact the child’s future and credit score. When a criminal uses a child's PII they could easily apply for services or benefits, or commit additional fraud in the child’s name. Families and children with special needs often have many challenges and the last thing they need to worry about is being the victim of identity theft.

As a general rule health records and medical data can pose a serious risk because these are often challenges that will remain with the individual in their permanent health record. Whereas a banking or financial record can be changed or corrected, a health record cannot and will stay with that person throughout their lifetime. Although the invoice did not directly identify individual diagnosis it clearly indicates the child received health related education services.

We are not implying any wrongdoing by Encore Support Services, nor are we claiming that these children or parents were ever at risk. We are only highlighting our findings and identifying potential risks of the data exposure and how it could be exploited. The database was closed shortly after I sent a responsible disclosure notice to Encore Support Services. It is unclear how long these records were exposed or if anyone else may have had access to them. It is also unclear if parents, school officials, or the proper authorities have been notified of the data exposure.

About the Author

Cybersecurity researcher at vpnMentor and Co-Founder of Security Discovery.

Jeremiah finds and reports data breaches and vulnerabilities. He identifies real world examples of how exposed data can be a much bigger risk to personal privacy. Together with the vpnMentor team he has helped secure the personal data of millions of people from all over the world.

Jeremiah has over 10 years of experience in cyber security and has found some of the largest data breaches recorded in yearly summaries. After the company he was working for had a data breach of their own customers he became inspired to find out how data exposures happen. What started as digital treasure hunting quickly became more than a hobby. He quickly became a well known security researcher and thought leader frequently appearing in the news.

He has been a keynote speaker at multiple security conferences and has given lectures and webinars to startups and Fortune 100 companies on the topics of cyber security, privacy, and data protection. Jeremiah lives by the saying "Do what you love, and you will always love what you do"