Cyber Incident Victim: Lakeside School
Date:
Nov 2021
Location:
United States of America
Summary
A private educational institution in Seattle experienced a data security incident involving unauthorized access to personal information, including names and medical details. The organization notified affected individuals and regulatory authorities, emphasizing no evidence of misuse but advising vigilance. While external breach response services may have been engaged, specific details regarding the scope, affected parties (students or employees), and precise nature of the medical information remain undisclosed. The incident highlights potential risks associated with sensitive data held by schools, governed under FERPA rather than HIPAA in this context.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 3, 2021, Lakeside School, a private institution serving grades 5-12 in Seattle, Washington, notified the Massachusetts Attorney General’s Office of a data security incident. The school’s notification letter disclosed that unauthorized access had occurred involving personal information, specifically naming individuals’ medical information alongside their names. While Lakeside School explicitly stated it had no evidence that the unauthorized party viewed or misused the compromised data, it acknowledged the seriousness of the breach and issued precautionary guidance to affected individuals. The notification advised recipients to monitor financial statements and credit reports for unauthorized activity, offering a dedicated phone line (1-800-939-4170) operational on weekdays during Pacific Time business hours for inquiries. The letter’s return address and letterhead suggested Lakeside had engaged IDX, a breach response service provider, to assist impacted individuals. No further technical details regarding the breach’s origin, attack vector, or intrusion timeline were disclosed in the notification or subsequent public records available at the time of reporting.
Despite the mandatory disclosure to Massachusetts authorities, Lakeside School did not publish any incident notice on its official website as of November 21, 2021. Similarly, no breach notification appeared in the Washington State Attorney General’s public breach registry, where such disclosures are typically archived. DataBreaches.net attempted to obtain additional details by emailing directors of Lakeside’s Middle and Upper Schools but received no response prior to the article’s publication. The nature of the exposed medical information remained unclear—specifically whether it pertained to students or employees—and the legal framework governing its protection was noted as likely falling under FERPA (Family Educational Rights and Privacy Act) rather than HIPAA, given the educational context. The absence of confirmed details regarding the breach’s scope, attacker methodology, or containment measures left significant gaps in public understanding of the incident’s operational impact and remediation efforts. Lakeside’s communication emphasized regret for the inconvenience but provided no specifics about forensic investigations, system repairs, or enhanced security protocols implemented following the breach.