社区黑料

Get stories like this delivered straight to your inbox. Sign up for 社区黑料 Newsletter

Updated Aug. 16

An education technology company that built an app for Los Angeles students to receive telehealth services during the school day has fallen victim to a data breach that puts students鈥� sensitive information in jeopardy, a disclosure to state regulators reveals. 

The company, Kokomo Solutions, also hosts an anonymous tip line where Los Angeles community members can , safety threats and mental health crises to the school district鈥檚 police department. In filed with the California attorney general鈥檚 office, the company disclosed that an unspecified number of individuals鈥� personal information was compromised after an 鈥渦nauthorized third party鈥� accessed its computer network and the exposed files pertained to the Los Angeles Unified School District. 

The company, also known as Kokomo24/7, says it discovered the unauthorized access on Dec. 11, 2024, nearly eight months before it disclosed what happened to victims. The district has not issued any public statements alerting students and families that their sensitive information may have been compromised. 

Kokomo24/7, which has apparently scrubbed its website over the last few days of references to its work with the nation鈥檚 second-largest district, did not respond to requests for comment.

A Los Angeles Unified spokesperson said the company notified the school system on Dec. 12, 2024, “that an unauthorized user gained access to certain files containing personal information, stored on behalf of the District.” The spokesperson said the breach was not connected to LAUSD’s telehealth program or its student patients, but did not say whose information was exposed. They said it was Kokomo’s responsibility to handle disclosure to all affected parties and that, as far as L.A. school officials know, “there has been no evidence of personal information being shared as a result of the breach.”

While many details about the breach remain unknown, including the specific types of information that were compromised and whether it was the result of a cyberattack, the incident raises red flags because 鈥渢here鈥檚 no question that [Kokomo is] managing exceptionally sensitive information鈥� about campus safety issues and students鈥� medical information, school cybersecurity expert Doug Levin said. 

鈥淭his is another example of schools outsourcing the collection and management of exceptionally sensitive data on school communities which, if abused, could affect the health and safety of the school community,鈥� said Levin, the co-founder and national director of the K12 Security Information eXchange. 鈥淲e definitely would benefit from knowing more about how they were compromised and how they鈥檙e going to fix it.鈥�

District officials have touted the telehealth service to parents since the data breach was disclosed. In an Aug. 8 live video session over Facebook, a district student and community engagement specialist gave that laid out L.A.鈥檚 back-to-school offerings.

Parent advocate Evelyn Aleman, who facilitated the event, said she was pleased to learn about the telehealth service during the presentation. Parents grew accustomed to telehealth during the pandemic and the virtual service could benefit families who have been advocating for better health services in schools, she said. But she hadn鈥檛 heard about the data breach before being contacted by 社区黑料.

鈥淚 have a lot of questions: Was the person who was presenting to the group aware that [the breach] had happened?鈥� asked Aleman, who founded the group Our Voice to advocate for low-income and Spanish-speaking L.A. families. 鈥淎nd how deep was the breach? Obviously that would be of concern to the parents.鈥�

, the Los Angeles Schools Anonymous Reporting app allows students, parents and others in the community to report 鈥渟uspicious activity, mental health incidents, drug consumption, drug trafficking, vandalism and safety issues鈥� to the district鈥檚 . 

That same year, L.A. schools  鈥� along with the Children鈥檚 Hospital Los Angeles and Hazel Health 鈥� to launch new . The $800,000 program, funded by , is designed to provide app-based mental and physical health care to students, including at school. Hazel Health provides virtual mental health services, according to the district鈥檚 website, while Kokomo24/7鈥檚 services focus on physical health issues, including minor injuries, allergies and headaches. 

In , the district describes its Kokomo24/7-managed telehealth program as an option for students 鈥渢o access healthcare when not feeling well during school hours鈥� with the supervision of a school nurse 鈥渨hile remaining in school and focusing on learning.鈥� 

Kokomo founder and CEO Daniel Lee lauding the company鈥檚 ability to 鈥渢ransform鈥� L.A. Unified鈥檚 COVID-tracking and health data system in a year after the school system鈥檚 previous tool became 鈥渃lunky, difficult to customize and expensive to maintain.鈥� The post notes the company鈥檚 role in creating the anonymous reporting application and the district鈥檚 Incident System Tracking Accountability Report, an internal tool to document injuries, medical emergencies and campus threats.

The Kokomo24/7 breach is the latest in a series of data privacy incidents affecting L.A. schools, including a high-profile ransomware attack in 2022 that led to the exposure of thousands of students鈥� mental health records. Schools Superintendent Alberto Carvalho at first categorically denied that students鈥� psychological evaluations had been exposed but then had to acknowledge that they were after 社区黑料鈥檚 investigation revealed the records鈥� existence on the dark web.

Meanwhile, the district鈥檚 rollout last year of a highly touted AI chatbot named 鈥淓d鈥� was derailed after AllHere, the ed tech company hired to develop the $6 million project, shuttered abruptly and filed for Chapter 7 bankruptcy. The company鈥檚 founder and CEO, Joanna Smith-Griffin, was then indicted on charges she defrauded investors of some $10 million. A company whistleblower told 社区黑料 AllHere鈥檚 student data security practices violated both industry standards and the district鈥檚 own policies. 

The L.A. district for the chatbot bid 鈥� including Kokomo24/7 鈥� before awarding the contract to AllHere. Both the bankruptcy and criminal cases are pending. In July, a school district spokesperson told 社区黑料 that Ed 鈥渞emains on hold.鈥� 

The Kokomo24/7 website lists a wide suite of products, primarily in physical security including building access control systems, emergency alarms and visitor management tools. It also names large companies among its customers, including The Oscars 鈥� the company was the 鈥渉ealth and safety software provider鈥� 鈥� United Airlines鈥� subsidiary United Express and Fifth Third Bank. 

But the Illinois-based company has a relatively small footprint in the education sector, according to records in the GovSpend government procurement database. Among the handful of its school district clients is the Hartford, Connecticut, school system where educators spent more than $60,000 between 2020 and 2023 for licenses to to screen students鈥� temperatures, track infections and conduct contact tracing. Glendale Unified, a neighboring district to Los Angeles, is also listed as a client on the company鈥檚 website.

Kokomo24/7鈥檚 connections to the L.A. district were widely featured on the company鈥檚 website until this week. In fact, listed four foundational events, including the 2023 launch of the 鈥渁nonymous reporting app for students and an emergency alert system for staff鈥� for the L.A. district.

The reference to the school district was removed from the company timeline this week, as was a banner attributing a quote to Carvalho, a picture of district police officers and the district police department鈥檚 logo. Press releases announcing Kokomo鈥檚 work with the L.A. district appear to have also been scrubbed from the internet. 

The since-removed Carvalho quote called 鈥渃ritically important.鈥� Though slightly misstated, the remark comes from a March 2023 school board meeting where Carvalho boasted of people鈥檚 ability to 鈥渞elay in an anonymous way 鈥� or not 鈥� potential threats鈥� to a student or a school. 

The Los Angeles Schools Anonymous Reporting app hasn鈥檛 been universally praised, and last year filed by anti-surveillance activists who alleged the tool created 鈥渁 culture of mass suspicion鈥� and bolstered police interactions between students of color and those with disabilities. 

The Stop LAPD Spying Coalition, which filed the lawsuit seeking records about the app, students, parents and community members 鈥渢o surveil each other鈥� on behalf of school police and to file reports that don鈥檛 require evidence. It also questioned why the community was being encouraged to file reports on people in mental health crises as part of a broader effort to investigate 鈥渟uspicious activity.鈥� 

鈥淭he app criminalizes mental health, perpetuating the idea that if someone has a mental illness they are inherently a threat to others,鈥� the activist .

Did you use this article in your work?

We鈥檇 love to hear how 社区黑料鈥檚 reporting is helping educators, researchers, and policymakers.