Invoices containing the personal information of thousands of special needs children, potentially allowing fraudsters to identify medical data, have been exposed online.
A database of 47,192 records from the United States-based company, Encore Support Services, was exposed. These invoices were submitted to the Impartial Hearing Order Implementation Unit, Division of Specialized Instruction, and Student Support Special Education Office of New York.
Discovered by the security researcher Jeremiah Fowler and reported to vpnMentor, the invoices included students' and their parents' names, addresses, and the students' OSIS numbers issued to those who attended New York Public schools.
The exposed records also contained the vendor's information, EIN / SSN tax identification, and billing hours from the detailed vendor payment requests. Because these services were provided according to the student's diagnosis, they could indicate why they received special needs services or identify medical data about them.
Why is it dangerous?
When exposed online, personally identifiable information (PII) can be used by fraudsters. In this case, a criminal pretending to be an Encore Support Services employee or school representative could contact parents and tell them they need a child's social security number or a credit card number. Because scammers already know a lot of insider information about the child, parents could easily trust them.
Experts say exposure to medical data is extremely serious because fraudsters can use this information to instigate an emotional response in people in vulnerable situations. Moreover, having your medical records stolen can result in identity theft.
According to Fowler, child identity theft could impact their future and credit score. The criminals could use the child's identity to apply for services or benefits or commit additional fraud.
The researcher says the database was closed shortly after Encore Support Services were notified of data exposure. Moreover, it is unclear how long these records were exposed or if anyone else may have had access to them.