PowerSchool breach exposed special education status, mental health data and parent restraining orders

Sensitive student information including special education status, mental health details, disciplinary notes and parental restraining orders were exposed in the recent hack targeting PowerSchool, highlighting how easily troves of unique personal data can be obtained by hackers.

PowerSchool, an education software company, told Recorded Future News that about 6,500 of its more than 18,000 clients were impacted in the hack announced last month. Although PowerSchool has not said how many individuals are affected, the hacker allegedly behind the incident reportedly claimed they obtained data belonging to 62.4 million students and 9.5 million teachers.

Many impacted school districts have shared limited details about exposed data. However, interviews with parents and administrators, as well as notifications sent to parents by two districts, show that highly sensitive categories of data were exposed.

PowerSchool has said that in some cases a medical alert field containing health information parents wanted their students’ schools to be aware of was compromised. The company cited food allergies as an example of a medical alert, but one parent interviewed by Recorded Future News said that in her case her daughter’s anxiety disorder and the fact that she had been receiving therapy was listed.

A notification email sent to parents in the Wakefield, Massachusetts school district said that custody alerts — including information such as custody agreements, restraining orders and other legal information — were exposed for 31 prior and current students.

A data field identifying students with special education plans was exposed for 708 former and current students, the email said. Additionally, medical alerts for 1,384 current and former students were exposed.

Wakefield school officials called the three categories of data sensitive information that is “protected by state and federal student records laws and regulations.”

In Toronto, students whose profiles listed medical alerts, special education status and disciplinary notes dating back to 2017 were exposed, the district told parents.

The Toronto District School Board is the largest in Canada and one of the largest in North America with nearly 600 schools serving about 239,000 students annually.

When asked why it had not listed special education status, custody agreements and disciplinary notes in its original notice about the types of information exposed, a PowerSchool spokesperson said those fields are not created by PowerSchool and were “customized” add-ons put in place by schools.

Adam Larsen, an assistant superintendent at an Illinois school district who also works as a data consultant for schools, said a handful of his school district clients had sensitive student mental health and special education data exposed.   

“The kinds of things that got snagged by the hackers are statuses — a student has an IEP or a 504 [special education designations], they have anxiety disorder, there is an order of protection,” Larsen said, adding that his own district had not been breached. “It’s usually high level like, ‘Hey, everyone this kid has an anxiety disorder so you should be aware that they might have panic episodes.’”

Larsen said he has been helping his school district clients audit their systems in the wake of the hack and for districts where sensitive student information leaked “they’re pretty unhappy because they feel like as stewards of that data, that they have a responsibility to ensure that it is taken care of, and they never expected a threat vector like this.”