mendocino office of education data breach

Mendocino County Office of Education Announces Possible Ransomware Attack or Data Hack

If either you or your student received a Recent Notice of Data Breach from the Mendocino County Office of Education (MCOE), you may be entitled to up to $1,000 or your actual damages, whichever is greater, depending on the nature of the data in question.

On July 25, 2023, the MCOE officially reported to the California Office of the Attorney General — after five months — that it had suffered a data breach and network disruption.

MCOE reported that the hack occurred on March 6, 2023, and blocked the MCOE’s ability to access portions of its network while they were accessed by an “unauthorized individual” — a classic sign of a ransomware attack, although MCOE failed to disclose whether it was. MCOE serves over 13,500 K-12 students.

On March 7, 2023, the Mendocino County Office of Education issued a press release stating,

“We are working around the clock with this task force to determine the scope of the incident and securely restore our network. Since our investigation is in its early stages, we are unable to provide specific information at this time. However, if our investigation determines either employee or student data is affected, we will notify individuals as quickly as possible.”

On March 31, 2023, the MCOE issued a second press release, admitting that a host of student and family personal, financial, and medical information was potentially accessed by the unauthorized third party including names and the following critical information that had been left unprotected:

  • address
  • phone number
  • email address
  • student identification number
  • date of birth
  • Social Security number / IRS PIN number
  • passport number, driver’s license/state identification number, tax identification number
  • birth/marriage certificate
  • financial account information
  • medical information/health insurance information
  • fingerprint/iris scan
  • parent/guardian name
  • place of birth
  • student class list
  • course schedule/class list
  • disciplinary information
  • grades, class rank
  • Individualized Educational Plan (IEP) information

Although MCOE promised families that affected individuals would be notified “as quickly as possible,” it waited almost 5 months from the date of the cyber-attack to send notices to affected individuals, finally beginning to send out notices in late July 2023.

The scope of the impacted data is breathtaking. The loss of even a fraction of this data leaves victims open to a host of financial and medical abuses, including identity theft, the potential filing of false tax returns, and health insurance fraud.

Medical information and IEP information is among the most sensitive and confidential information students and families possess. For example, if entire special education files have been compromised, those files may include psychological analyses, cognitive testing, mental and physical health observations, teacher evaluations, and other highly sensitive information.

MCOE’s Violation of California’s Data Breach Laws May Mean You are Entitled To Compensation

Participants in data breach lawsuits can recover damages, injunctive relief (to ensure that there are reasonable security practices to protect personal data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims. Medical information may be covered by the California Confidentiality of Medical Information Act (CMIA) and, if applicable, provides for an award of statutory damages.

Thieves may choose to wait years to capitalize on compromised personal data, particularly Social Security numbers. This is particularly true for students, where the information can be inventoried for years, and for medical records, which can be used for purposes of identity theft or health care fraud.

The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities. Personal data about minor students, which may include special education information and other highly sensitive materials, should be robustly protected by county education offices, school districts and schools. The sensitive nature of this data means that “student information is something that must be handled with great care. [. . . ] (Source: Kamala Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016)).