Online exposure of invoices containing the personal information of thousands of children with special needs could enable fraudsters to identify medical data.
Encore Support Services, a company based in the United States, had 47,192 records compromised. These bills were sent to the New York Impartial Hearing Order Implementation Unit, Division of Specialized Instruction, and Student Support Special Education Office.
Invoices discovered by security researcher Jeremiah Fowler and reported to vpnMentor contained the names, addresses, and OSIS numbers of students and their parents who attended New York Public schools.
The exposed records also included the vendor’s name, EIN/SSN, and billing hours from the detailed vendor payment requests. Due to the fact that these services were provided based on the student’s diagnosis, they were able to explain why they received special needs services or provide medical information about themselves.
Personal identifying information (PII) that is exposed online can be used by fraudsters. In this scenario, a criminal posing as an Encore Support Services employee or school representative could contact parents and request their child’s SSN or credit card number. Since con artists already possess a wealth of insider information about the child, parents could easily place their trust in them.
According to experts, the exposure of medical data is extremely dangerous because fraudsters can use it to provoke an emotional response in vulnerable individuals. Additionally, medical record theft can result in identity theft.
According to Fowler, a child’s future and credit score could be affected by identity theft. The criminals could use the identity of the child to apply for services or benefits or to commit additional fraud.
According to the researcher, the database was shut down shortly after Encore Support Services were informed of the data breach. In addition, it is unknown how long these records were exposed and who had access to them, if anyone.