Los Angeles School District Hit by Ransomware Attack

A cyberattack targeting the Los Angeles Unified School District caused a significant system outage in the country’s second-largest school district over Labor Day weekend.

The attack disrupted technology used for lessons and attendance and barred students and staff from accessing their emails. Though the attackers used ransomware software for the breach, the school district has yet to receive any monetary demands.

The district confirmed in a statement Monday that the FBI and Department of Homeland Security are assisting local law enforcement in investigating the incident.

“Los Angeles Unified detected unusual activity in its Information Technology systems over the weekend, which after initial review, can be confirmed as an external cyberattack on our Information Technology assets. Since the identification of the incident, which is likely criminal in nature, we continue to assess the situation with law enforcement agencies.”

Authorities believe the attack may have originated internationally and identified three possible countries they have not released to the public.

Ransomware attacks are on the rise in the educational sector. The Los Angeles breach was the 50th cyberattack on educational institutions this year. The migration of school systems to virtual classrooms during the pandemic led to increasingly vulnerable cyberinfrastructures.

Embed from Getty Images

Many schools are underfunded and lack the resources to retain adequate IT staff. Attacks are often planned during holidays when IT security staff is likely to be even sparser. The ideal timeline is often at the beginning of the school year when students return to school, and schools are more likely to pay demands to avoid problems that a catastrophic shutdown could cause.

The hackers did not take any Social Security or medical information and instead targeted systems containing information about private-sector contractor payments. However, the widescale breach points to the continued penetrability of schools’ cyberinfrastructures.

In January, a ransomware extortion attack on the biggest school district in Albuquerque, New Mexico, caused schools to shut down for two days. In May, a data breach in the Chicago Public School system exposed four years’ worth of records of half a million students and 60,000 employees.

One attendance counselor told the LA Times how the shutdown impacted the school’s ability to check on students.

“We do have paper attendance we will be collecting, but I would usually call home or go on home visits to find out students’ whereabouts. Unfortunately, with not having access to their information, I will not be able to find out where those students are. As it is, after the pandemic, we have been working hard to find students.”

Embed from Getty Images

The district implemented a response protocol to avoid immediate widescale impact and to prevent future attacks. The district plans to invest in new IT security technology, hire personnel skilled in technology management, and train employees in cybersecurity responsibility.

Because the attack was detected Saturday, Students could return to class Tuesday morning. Students and teachers had to reset their passwords but could resume their usual schedules.


Laptop Google Search

Whistle Blower Posts Video of ‘Project Nightingale’ Leaving Google to Face Investigation

A video posted on social media by a whistleblower that Google has been working with Ascension, the second largest healthcare provider in the country, on a secret project has been met with growing concern.

According to the whistleblower, Project Nightingale has been secretly transferring the personal medical data of up to 50 million Americans from Ascension to Google, without their permission.

The secret project has seen healthcare data being transferred to Google without being de-indentified, meaning the full personal details including names and medical history are available to be accessed by Google staff.

The whistleblower also shares the news that by the time the full transfer has been completed – around March next year – over 50 million patients across 21 states will have had their personal data sent across to Google, without informing any of the patients or doctors involved.

As well as names, lab results, medical diagnoses and hospitalization records, notes from a private meeting between Ascension employees involved in the project were also shared. In the document concerns about the way Google would use the personal information were raised, including building new artificial intelligence.

The meeting also raised security fears such as the transfer being in breach of federal HIPAA rules on data privacy, questions that Google have not answered as yet.

Embed from Getty Images

With over 2,600 medical facilities including clinics and hospitals, Ascension – a Catholic network – is believed to be conducting the biggest data transfer so far in the healthcare field. But this isn’t the first partnership that Google has entered into albeit their other partnerships have been on a smaller scale, including the Colorado Center for Personalized Medicine. However the data was encrypted with only the medical center able to access the data.

Although the identity of the whistleblower is not known it is understood they are one of around 300 employees working on Project Nightingale, with roughly a fifty per cent split between Google and Ascension. The Wall Street Journal originally broke the story on Monday 11th November and the data transfer deal was formally signed only hours later.

The whistleblower decided to go public due to the widespread anxiety throughout the project’s employees with many worried about the way in which Google was able to access millions of patients personal data.

“Most Americans would feel uncomfortable if they knew their data was being haphazardly transferred to Google without proper safeguards and security in place. This is a totally new way of doing things. Do you want your most personal information transferred to Google? I think a lot of people would say no.”

The concerns about so much information, that is potentially very valuable, being collated by just one company has also been mentioned with the possibility that Google could use its own AI analytics to work out medical diagnoses for patients.

“In the future, such risks are only likely to grow. This is the last frontier of extremely sensitive data that needs to be protected.”

Embed from Getty Images

Surprisingly this is not the first time Google has seen itself in trouble thanks to their plans to become the leading figure in healthcare analytics and data. Only a few years ago in 2017 1.6 million patient records were transferred from the Royal Free Hospital in London, England to Google’s artificial intelligence division with the UK’s watchdog on data declaring Deep Mind Health to have an ‘inappropriate legal basis’.

Like all companies Google, and more specifically their parent company Alphabet, has ambitions. Alphabet has made no secret that they wish to develop new AI tools to predict health patterns, meaning they can improve treatment. Google are also keen to expand into the digital health market and recently announced plans to buy fitness company Fitbit for $2.1billion.

After the disclosure of Project Nightingale both Ascension and Google have released statements confirming they are keeping in line with all HIPAA and federal health laws, stating that all patient data collected is ‘protected’.

A recent interview by Google Cloud in the Wall Street Journal declared that Google were working towards “ultimately improving outcomes, reducing costs, and saving lives.” Ascension also stated “all work related to Ascension’s engagement with Google is HIPAA compliant and underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.”

However, those watching the whistleblower’s video can see that this is something they definitely do not agree with. Annotations appear over the documents suggesting Google are wanting to share or even sell the information to third parties, or even create profiles which can be used to advertise healthcare products.

The whistleblower says ‘Patients haven’t been told how Ascension is using their data and have not consented to their data being transferred to the cloud or being used by Google. At the very least patients should be told and be able to opt in or opt out.’

What happens next remains to be seen but with companies compiling databases of personal information like these, it is no wonder the US Department of Health has launched an investigation.