HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data of More Than 500,000 Staff and Students Compromised in San Diego School District Phishing Attack

The San Diego School District has announced it has suffered a major phishing attack that has resulted in the exposure of the personal data, including health information, of more than 500,000 staff and students.

The phishing attack was detected in October 2018; however, an investigation into the breach revealed the hacker had network access for almost a year. Access to the network was first gained in January 2018 and the attacker continued to access the network until November 2018.

The decision was taken not to alert the hacker to the discovery of the breach immediately. Instead, the school district first investigated the breach to determine the nature of the attack and the extent to which its network had been compromised. Access was only terminated when the initial phase of the investigation was completed.

San Diego School District conducted the investigation in conjunction with the San Diego Unified Police and has identified the hacker responsible for the attack. All compromised accounts have now been reset and unauthorized access to staff and student data is no longer possible.

The phishing emails used in the attack were highly realistic and directed users to a website where they were required to enter their login credentials, which were then harvested by the attacker.

The breach was one of the most severe phishing attacks reported to date. The investigation revealed more than 50 email accounts of district employees were compromised in the attack over the space of 11 months.

The types of information compromised included names, telephone numbers, mailing addresses, home addresses, dates of birth, Social Security numbers, state student ID numbers, schedule information, school attendance information, transfer information, emergency contacts, legal notices, and health information. Compromised employee information also included paychecks and pay advice, staff health benefits enrollment information, beneficiary identity information, savings and flexible spending account data, dependents’ identities, tax information, direct deposit bank names, routing numbers, and account numbers, and payroll and compensation data. The data compromised in the attack dates back to the 2008-2009 school year.

While data access was possible, it is unclear whether the hacker copied any staff and student data. All individuals affected by the breach are now being notified. The wider investigation into the attack is continuing. Additional security measures have now been installed to prevent further breaches of this nature.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.