An adoption and foster care non-profit linked to the family of Department of Education Secretary Betsy DeVos exposed highly sensitive personal and medical information of dozens of children, Motherboard has learned.
The charity, called Bethany Christian Services, is one of the nation's largest adoption agencies and helps place children for adoption and foster care. It works with vulnerable children in the U.S. as well as refugees and immigrants.
"Our vision is to find a loving family for every child who needs one—that is where they thrive best," the group says on its website.
The exposed data was stored on PDFs openly available on its website. Some PDFs were called "Children Medical Examination Records" that included the names, dates of birth, the hospital or orphanage they were based in, and extremely sensitive medical information.
This includes a child's HIV status, number of teeth, lab test results, and whether the child has any physical deformities ("Spine: no deformity" "Liver: not palpable under the rib; "Anus: no abnormal findings" are examples of the data contained on the form). Other information exposed includes a "Growth Report" that explains the child's background and "motor skills and intellectual development." One notes that a child arrived "wearing yellow baby clothes and she was placed in a paper box" and that, between the age of 10 and 12 months, "she knows her name, can get biscuits, and feeds herself."
The charity has multiple connections to the DeVos family: Brian DeVos, a cousin of Betsy DeVos' husband, was a senior vice president at the organization; Maria DeVos has served on Bethany's board; and the DeVos family foundations donated more than $6 million to the charity between 1998 and 2016, according to NPR.
Bethany Christian Services has been criticized for excluding LGBTQ parents, for sending targeted ads to women at Planned Parenthood clinics that encourage them to put their child up for adoption rather than get an abortion, and for using the Trump administration's child separation policy on the US-Mexico border to ask for donations. Bethany has placed migrant children with families in the United States as a result of that crisis and has several contracts with federal and state governments.
An independent security researcher originally flagged the issue to Motherboard. The researcher requested anonymity given the "nature of the situation," they said. The problem was that the PDFs were easy to find on Bethany's website, if you knew the particular, but predictable, URL to visit.
To verify the exposure, Motherboard wrote a script that would enumerate through the different document identifiers, make a list of URLs, and then fed those into a tool to download the PDFs en masse. Motherboard retrieved 40 PDFs but is unsure if more data was also exposed, and these are the only PDFs we found. Motherboard could not determine why the data of these 40 children was left exposed, and Bethany Christian Services did not elaborate on why their data was left online.
A Bethany Christian Services spokesperson told Motherboard in an emailed statement, "The health, safety, and privacy of children is of the utmost importance at Bethany. Adoption data technology practices are ever-evolving and have changed dramatically over the years. Bethany has been a leader in driving best practices on data privacy and has instituted controls to protect the information that is required by U.S. and international guidelines and laws to be shared with prospective adoptive families. Bethany will continue to review and improve our data security measures to ensure that children are always protected."
At the time of writing, the data is no longer accessible on the Bethany website.