A significant data breach affecting the Pennsylvania State Education Association (PSEA), the state’s largest public-sector union, has exposed the personal information of over 500,000 individuals. The breach, discovered in July 2024 and confirmed in February 2025, involved the theft of sensitive data, including financial and health records.
The Scope of the Breach
The PSEA represents over 178,000 education professionals. However, the breach impacted a far larger number, affecting 517,487 individuals. The organization’s statement regarding the incident is stark:
“PSEA experienced a security incident on or about July 6, 2024 that impacted our network environment,” the organization said in breach notification letters sent to affected individuals. “Through a thorough investigation…we determined that the data acquired by the unauthorized actor contained some personal information belonging to individuals whose information was contained within certain files within our network.”
The stolen data varied by individual but included:
- Driver’s licenses or state IDs
- Social Security numbers
- Account PINs and security codes
- Payment card information
- Passport information
- Taxpayer ID numbers
- Credentials
- Health insurance and medical information
The Broader Implications
The PSEA data breach is a significant event, highlighting the vulnerability of even large organizations to sophisticated cyberattacks.
The involvement of the Rhysida ransomware group further emphasizes the growing threat posed by ransomware attacks and the need for organizations to prepare for and respond effectively to such incidents.
The CISA and FBI have warned that Rhysida affiliates are behind many opportunistic attacks, targeting a wide range of sectors.
Rhysida Ransomware’s Extensive Attack History
The Rhysida ransomware-as-a-service (RaaS) operation, responsible for the PSEA breach, emerged in May 2023. It quickly gained notoriety after breaching the British Library and the Chilean Army (Ejército de Chile).
Rhysida’s targets demonstrate a wide range of victims and a willingness to engage in high-stakes attacks. In November 2023, the group hacked Sony subsidiary Insomniac Games, leaking 1.67 TB of data after a $2 million ransom demand was refused.
Further illustrating their reach, Rhysida affiliates claimed responsibility for a cyberattack on Lurie Children’s Hospital in Chicago in February 2024, offering the stolen data for 60 BTC (approximately $3,700,000 at the time).
More recently, the Singing River Health System reported a breach impacting nearly 900,000 individuals in August 2023, and the City of Columbus, Ohio, experienced a Rhysida-related breach affecting 500,000 people in July 2024.
The CISA and FBI have issued warnings about Rhysida’s opportunistic attacks across various sectors, with the U.S. Department of Health and Human Services (HHS) specifically linking the group to attacks on healthcare organizations. The PSEA is offering free credit monitoring and identity restoration services to those whose Social Security numbers were compromised.
