A major education software platform in North America, PowerSchool, experienced a cyberattack impacting the data of students and teachers.
On December 28, 2024, PowerSchool, a leading education technology provider for K-12 schools in North America, experienced a cybersecurity incident that resulted in the theft of student and teacher information. Unauthorized persons accessed and extracted data from the company’s student information system database.
Following the breach, PowerSchool notified affected districts on January 7, 2025, prompting immediate investigations and responses from numerous educational institutions, including Frederick County Public Schools (FCPS) and Westford Public Schools. FCPS confirmed that their data was affected during a transition to PowerSchool's system and began working with cybersecurity firm CrowdStrike to assess the impact.
PowerSchool assured clients that the incident was contained and that no data had been found on the dark web. As of January 10, 2025, investigations are ongoing to determine the full scope of the breach and its implications for affected parties.
The Family Educational Rights and Privacy Act (FERPA), enacted in 1974, protects the privacy of student education records, including health information maintained by schools. The Health Insurance Portability and Accountability Act (HIPAA) implemented in 2002 protects the information held by healthcare providers. Generally, student health records kept by school nurses or health clinics are classified as education records under FERPA and are therefore excluded from HIPAA’s scope.
If a provider outside the school treats a student and shares those records with the school, HIPAA may apply to that information until it becomes part of the school’s maintained records. If a school operates a health clinic that serves both students and the public, both laws could apply depending on how the records are used.
With hackers gaining access to personal information such as names, addresses, Social Security numbers, and medical records, healthcare providers could face a myriad of challenges. For instance, the compromised Social Security numbers could be exploited for identity theft, leading to fraudulent claims for medical services or prescriptions. If medical records were accessed or altered, healthcare providers might inadvertently rely on inaccurate information when making treatment decisions, potentially jeopardizing patient safety.
They should freeze their child's credit report with the three major credit bureaus—Equifax, Experian, and TransUnion to prevent identity theft and unauthorized credit applications. This process is free and restricts access to the child's credit report. Parents should monitor their child's financial accounts for any signs of unusual activity and consider enrolling in an identity theft protection service that can provide alerts for any suspicious use of their child's information.
When a data breach occurs, schools must communicate effectively with stakeholders—including parents, students, and staff, to maintain trust and transparency. Schools should promptly issue a clear and concise notification detailing the nature of the breach, what information was compromised, and the potential risks involved.
Yes, healthcare providers treating patients whose data may have been compromised in a breach should be notified.