Personal Data of Thousands of Special Needs Children Exposed Online

Security researcher Jeremiah Fowler recently discovered and reported to vpnMentor a non-password protected database that contained nearly 50,000 records. The publicly exposed documents were invoices belonging to a special education and behavioral health service provider for school children.

Upon further research it was identified that the records referenced a company called Encore Support Services that has offices in New York, New Jersey, and Michigan, USA. The invoices exposed contained the students’ name and address, parent’s name, the students’ OSIS number, the service provider’s name, and more. OSIS stands for Open Student Information System and is a nine-digit number that is issued to all students who attend a New York City public school. The invoices also contained the vendor’s information, EIN / SSN tax identification and billing hours from the detailed vendor payment requests. The cost of the services ranged from $150-$170 an hour and would be paid or reimbursed by the Department of Education.

These services were provided according to the students’ diagnosis. The invoices contained a “Service Type” field with different codes that could potentially indicate why they were receiving special needs services or identify medical data about students. These records were publicly exposed, without password protection in place or encryption, to anyone with an internet connection. The personally identifiable information (PII) of children shouldn’t have been publicly accessible and I do not know if this data exposure could be considered a potential HIPAA violation. HIPAA is the acronym for the Health Insurance Portability and Accountability Act, a federal law that provides national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

What the database contained:

• Number of Records Exposed: 47,192 items totaling 6.74 GB.
• Invoices from Encore Support Services submitted to the Impartial Hearing Order Implementation Unit, Division of Specialized Instruction and Student Support Special Education Office of New York.
• Each record contained the student’s unique NYC DOE OSIS number. This is a nine-digit number that is issued to all students who attend a New York City public school. The number is used on the student's ID card and transcripts.
• Codes for services provided that indicate a disability. Notes on whether the services were provided at the student’s home or school. The home services contain the names and addresses of the parents.
• Records go back as far as 2018 with some students having used the services for multiple years.

The risks of this kind of data exposure

When personally identifiable information (PII) is exposed online there is always a risk it could be used for nefarious purposes. Children are extremely vulnerable because they depend on their parents or guardians to protect their personal information and have little control over their private data or how that data will be used. Using social engineering a criminal could hypothetically contact the parent and pretend to be an Encore Support Services employee or school representative and simply say, “We are updating our records and need your child’s social security number (SSN) or other information. They could also say there is a small payment due and request a credit card number”. The parent would have no reason to doubt the fraudster because they would know case numbers, therapy history, the student’s ID or OSIS number, and other insider information.

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. It should be noted that I did not see any social security number in the invoices and only provide this scenario as a real world example of how criminals could obtain additional information. Child identity theft is a serious issue that could impact the child’s future and credit score. When a criminal uses a child's PII they could easily apply for services or benefits, or commit additional fraud in the child’s name. Families and children with special needs often have many challenges and the last thing they need to worry about is being the victim of identity theft.

As a general rule health records and medical data can pose a serious risk because these are often challenges that will remain with the individual in their permanent health record. Whereas a banking or financial record can be changed or corrected, a health record cannot and will stay with that person throughout their lifetime. Although the invoice did not directly identify individual diagnosis it clearly indicates the child received health related education services.

We are not implying any wrongdoing by Encore Support Services, nor are we claiming that these children or parents were ever at risk. We are only highlighting our findings and identifying potential risks of the data exposure and how it could be exploited. The database was closed shortly after I sent a responsible disclosure notice to Encore Support Services. It is unclear how long these records were exposed or if anyone else may have had access to them. It is also unclear if parents, school officials, or the proper authorities have been notified of the data exposure.