We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Personal Data of Thousands of Special Needs Children Exposed Online

Personal Data of Thousands of Special Needs Children Exposed Online
Jeremiah Fowler Published on 21st March 2023 Cybersecurity researcher

Security researcher Jeremiah Fowler recently discovered and reported to vpnMentor a non-password protected database that contained nearly 50,000 records. The publicly exposed documents were invoices belonging to a special education and behavioral health service provider for school children.

Upon further research it was identified that the records referenced a company called Encore Support Services that has offices in New York, New Jersey, and Michigan, USA. The invoices exposed contained the students’ name and address, parent’s name, the students’ OSIS number, the service provider’s name, and more. OSIS stands for Open Student Information System and is a nine-digit number that is issued to all students who attend a New York City public school. The invoices also contained the vendor’s information, EIN / SSN tax identification and billing hours from the detailed vendor payment requests. The cost of the services ranged from $150-$170 an hour and would be paid or reimbursed by the Department of Education.

These services were provided according to the students’ diagnosis. The invoices contained a “Service Type” field with different codes that could potentially indicate why they were receiving special needs services or identify medical data about students. These records were publicly exposed, without password protection in place or encryption, to anyone with an internet connection. The personally identifiable information (PII) of children shouldn’t have been publicly accessible and I do not know if this data exposure could be considered a potential HIPAA violation. HIPAA is the acronym for the Health Insurance Portability and Accountability Act, a federal law that provides national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

What the database contained:

  • Number of Records Exposed: 47,192 items totaling 6.74 GB.
  • Invoices from Encore Support Services submitted to the Impartial Hearing Order Implementation Unit, Division of Specialized Instruction and Student Support Special Education Office of New York.
  • Each record contained the student’s unique NYC DOE OSIS number. This is a nine-digit number that is issued to all students who attend a New York City public school. The number is used on the student's ID card and transcripts.
  • Codes for services provided that indicate a disability. Notes on whether the services were provided at the student’s home or school. The home services contain the names and addresses of the parents.
  • Records go back as far as 2018 with some students having used the services for multiple years.

The risks of this kind of data exposure

When personally identifiable information (PII) is exposed online there is always a risk it could be used for nefarious purposes. Children are extremely vulnerable because they depend on their parents or guardians to protect their personal information and have little control over their private data or how that data will be used. Using social engineering a criminal could hypothetically contact the parent and pretend to be an Encore Support Services employee or school representative and simply say, “We are updating our records and need your child’s social security number (SSN) or other information. They could also say there is a small payment due and request a credit card number”. The parent would have no reason to doubt the fraudster because they would know case numbers, therapy history, the student’s ID or OSIS number, and other insider information.

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. It should be noted that I did not see any social security number in the invoices and only provide this scenario as a real world example of how criminals could obtain additional information. Child identity theft is a serious issue that could impact the child’s future and credit score. When a criminal uses a child's PII they could easily apply for services or benefits, or commit additional fraud in the child’s name. Families and children with special needs often have many challenges and the last thing they need to worry about is being the victim of identity theft.

As a general rule health records and medical data can pose a serious risk because these are often challenges that will remain with the individual in their permanent health record. Whereas a banking or financial record can be changed or corrected, a health record cannot and will stay with that person throughout their lifetime. Although the invoice did not directly identify individual diagnosis it clearly indicates the child received health related education services.

We are not implying any wrongdoing by Encore Support Services, nor are we claiming that these children or parents were ever at risk. We are only highlighting our findings and identifying potential risks of the data exposure and how it could be exploited. The database was closed shortly after I sent a responsible disclosure notice to Encore Support Services. It is unclear how long these records were exposed or if anyone else may have had access to them. It is also unclear if parents, school officials, or the proper authorities have been notified of the data exposure.

About the Author

Jeremiah, an experienced cybersecurity researcher at vpnMentor and co-founder of Security Discovery, is renowned for uncovering some of the world’s most significant data breaches. Together with the vpnMentor team, he has been instrumental in securing the personal data of millions globally.

His journey in cybersecurity, sparked by his interest in a data breach at a former company, transformed from a passion into a recognized expertise, establishing him as a respected thought leader in the industry.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address