Hackers Abscond with Florida Hospital Records, Release Sex Video of Gay Teacher; DC Special Ed Student Data Leaked

val lawless/Shutterstock.com

Just another week in ThreatWatch, our regularly updated index of noteworthy data breaches.

In case you missed our coverage this week in ThreatWatchNextgov’s regularly updated index of cyber breaches: 

DC Displayed Private Information on 12,000 Students with Disabilities

The accident occurred when someone in the District’s Office of the State Superintendent of Education uploaded the data to a public D.C. Council account in Dropbox, a cloud service that provides large amounts of storage space online. 

The data was posted prior to a council oversight hearing on the education department.

All affected students, who attend public and charter schools in kindergarten through 12th grade, are part of the city’s Individualized Education Program, which provides tailored education plans for special needs students. 

The information exposed included each student’s identification number, race, age, school, disabilities and any services he or she receives. 

The office says one person downloaded the document from the Internet. That person was part of a community organization that has verbally agreed to delete the document, according to officials. 

Gay Teacher Fired after Hacker Leaks Sex Video

A Little Rock, Arkansas, high school teacher learned last September an unidentified hacker had posted an intimate video of him and an adult male partner on his faculty webpage. Brian Cody Bray believes the attacker broke into his home computer to steal the video along with student contact information. 

"The school’s principal and the executive director of the school district summoned him to a meeting the following week, where he said he attempted to explain that someone hacked into his email account and apparently gained access to his user names and passwords for various accounts, including his account with the online file storage site known as Dropbox," the Washington Blade reports. 

According to a website Bray created to explain the incident, which he calls a cyber hate crime, the hacker changed the name of the Dropbox folder in which the video file was stored from “Private” to a one containing a gay slur. The alteration was a clear sign, Bray says, that the hacker had targeted him because he is gay.

It was widely known at Bray’s school he is gay. 

The video was first posted on the school website Sept. 28, 2015, according to a posting time stamp on the site. On that same day, someone identifying himself as “Jonathan” began sending text messages to one of Bray’s students telling the student his teacher Bray was gay and that the student should look at the video.

Bray, who posted a screenshot of the text messages, said he believes “Jonathan” is the hacker, whom Bray doesn’t believe is a student. The caller's cell phone number was obfuscated.

Bray had saved the student’s phone number in his computer files along with the numbers of other students whom he sometimes spoke with about school-related activities. He believes the hacker obtained those numbers when he or she gained access to Bray’s personal files.

School officials fired him Oct. 8, 2015, because they said he had lost authority over his students.

Brother-Sister Email Exchanges Breached Washington Medicaid Patient Data

Two Washington state employees — a woman who worked for the state Health Care Authority and her brother, who worked for the Department of Social and Health Services — apparently emailed each other messages containing private health information for years. 

The woman was a medical-assistance specialist and her brother was an Internet technician.

The pair told investigators the sister asked her brother for technical help with spreadsheets that contained Apple Health Medicaid program records, saying the information was not used for improper purposes or forwarded to unauthorized users.

A whistle-blower within department alerted officials to the issue.

The transfer of information violated patients’ privacy rights and indicated a pattern of behavior, said Steve Dotson, HCA risk manager. 

“We have no indication that the client files went beyond the two individuals involved,” he said. Letters were sent Feb. 9 to affected Medicaid members.

The case has been referred to federal officials for further investigation, including possible criminal review.

The information swapped included client Social Security numbers, dates of birth, Apple Health identification numbers and private health information.

Secretary Suspected of Absconding with Miami-Dade Hospital Records

In a memo, Carlos Migoya, CEO of Jackson Health System, the region’s taxpayer-owned hospital network, refers to the accused female as “a rogue Jackson employee.”

Evelina Reid, a hospital unit secretary and Jackson Health staffer since 2005, was assigned to the main operating room. She earned about $33,000 in 2014.

Reid allegedly stole troves of private patient data over the past five years in a scheme that may have compromised more than 24,000 records. She has been placed on administrative leave.

The breach exposed patient names, dates of birth, Social Security numbers and home addresses.

The news comes four days after the hospital announced the firing of two employees for snooping into the private information of New York Giants star player Jason Pierre Paul, whose right index finger was amputated at Jackson Memorial last year. His patient chart was leaked to ESPN.

(Image via /Shutterstock.com)