Private Information of Thousands of Children Exposed in Medical Software Data Breach
Recently I discovered a non-password protected database that contained over 16,000 records. These records contained personally identifiable information (PII) of children. This information included their names, date of birth, Patient ID number, home address, school attended, special needs, medical diagnoses, behavioral or social problems, and more data that appears to be recent. Upon further research references to Tridas eWriter. According to online sources; The Tridas Group LLC offers software that works with schools and parents to facilitate the diagnosis and management of children with ADHD, Autism, learning challenges, and other disorders or common conditions.
The findings appeared to be a collection of records from Tridas eWriter questionnaires completed by parents, which the Tridas Center (where assessments of children would take place) suggested should be completed before the first evaluation appointment. I sent a responsible disclosure notice to several contacts of the now closed Tridas Center and public access was restricted shortly after, but no one replied to my responsible disclosure notice.
The database included the following:
- Total Records Exposed: Over 16,000
- Internal records of questionnaires completed by parents that include the children’s first and last names, date of birth, physical address, name of the school they attend, parent’s phone number, and detailed physical or mental health information that should not have been publicly exposed. These notes provide profiles of the children’s issues or challenges including medical diagnosis, medicine prescribed, learning disabilities, violence, abuse, or other issues.
- Our findings were validated using a limited sampling of names that appear to be real people who share the same surname as individuals living at the addresses listed in the records according to publicly available resources.