PowerSchool data breach raises alarms over student medical privacy

A major education software platform in North America, PowerSchool, experienced a confirmed cyberattack impacting the data of students and teachers. 

What happened

On December 28, 2024, PowerSchool, a leading education technology provider for K-12 schools in North America, experienced a cybersecurity incident that resulted in the theft of student and teacher information. Unauthorized persons accessed and extracted data from two tables within the company’s student information system database. 

The stolen data included contact details and limited medical information. The breach impacted multiple school districts and local governments, including Westford Public Schools in Massachusetts and the states of North and South Carolina. PowerSchool confirmed the breach on January 9, 2025, stating that the compromised data had been deleted and assuring customers that operational disruptions were not expected. 

What was said 

According to a Westford Massachusetts civic alert, “Yesterday afternoon, Jan. 7, Westford Public Schools was informed by an outside vendor, PowerSchool, the hosting company and provider of the district’s student information system, of a data breach that occurred in late December 2024 for data that is stored off-site. This breach impacted PowerSchool’s broader network and has affected numerous school districts across the country.” 

The big picture 

The Family Educational Rights and Privacy Act (FERPA) enacted in 1974, protects the privacy of student education records, including health information maintained by schools. The Health Insurance Portability and Accountability Act (HIPAA implemented in 2002 protects the information held by healthcare providers. Generally, student health records kept by school nurses or health clinics are classified as education records under FERPA and are therefore excluded from HIPAA’s scope. 

If a provider outside the school treats a student and shares those records with the school, HIPAA may apply to that information until it becomes part of the school’s maintained records. If a school operates its own health clinic that serves both students and the public, both laws could apply depending on how the records are used.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

How can the theft of medical data stored by schools and other organizations impact healthcare organizations?

The data accessed could be used to identify healthcare providers treating students. This presents various possibilities, the most dangerous of which is the use of this data as ransom against healthcare organizations under the guise that their systems have been compromised. 

Why is medical information stored by educational institutions? 

Schools provide health services that require maintaining student health records, including vaccinations, allergies, and chronic conditions.

Which agencies govern cybersecurity in healthcare?

• Department of Health and Human Services (HHS)
• Federal Trade Commission (FTC)