Security researcher Jeremiah Fowler discovered a non-password-protected database that contained nearly 50,000 records. The publicly exposed documents were invoices belonging to a special education and behavioral health service provider for school children.

Upon further research, the vpnMentor team identified that the records referenced a company called Encore Support Services that has offices in New York, New Jersey, and Michigan, USA. The invoices exposed contained the students’ name and address, parent’s name, the students’ OSIS number, the service provider’s name, and more.

OSIS stands for Open Student Information System and is a nine-digit number that is issued to all students who attend a New York City public school. The invoices also contained the vendor’s information, EIN / SSN tax identification and billing hours from the detailed vendor payment requests. The cost of the services ranged from $150-$170 an hour and would be paid or reimbursed by the Department of Education.

These services were provided according to the students’ diagnoses. The invoices contained a “Service Type” field with different codes that could potentially indicate why they were receiving special needs services or identify medical data about students.

These records were publicly exposed, without password protection in place or encryption, to anyone with an internet connection. The personally identifiable information (PII) of children shouldn’t have been publicly accessible and I do not know if this data exposure could be considered a potential HIPAA violation. HIPAA is the acronym for the Health Insurance Portability and Accountability Act, a federal law that provides national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Adobe Premiere Pro Announces New Generative AI Video Features
Buy Me A Coffee

What the database contained:

  • Number of Records Exposed: 47,192 items totaling 6.74 GB.
  • Invoices from Encore Support Services were submitted to the Impartial Hearing Order Implementation Unit, Division of Specialized Instruction and Student Support Special Education Office of New York.
  • Each record contained the student’s unique NYC DOE OSIS number. This is a nine-digit number that is issued to all students who attend a New York City public school. The number is used on the student’s ID card and transcripts.
  • Codes for services provided that indicate a disability. Notes on whether the services were provided at the student’s home or school. The home services contain the names and addresses of the parents.
  • Records go back as far as 2018 with some students having used the services for multiple years.