The San Diego Unified School District (“SDUSD”) waited until late in the day on Friday, June 2, 2023, to confirm that a previously undisclosed “cybersecurity incident” in a report it filed with the state Attorney General’s office on December 12, 2022, had expanded even more than previously reported.
The District is sending out data breach notification letters to more individuals, including former District employees whose personal data should not be on any active servers, by June 15, 2023.
The sample data breach letter filed with the Attorney General’s office confirmed that the cybersecurity incident occurred on October 25, 2022 – five weeks before the district’s first notification to employees and student families of this incident.
In its most recent announcement, the District also admitted that in April 2023, two months ago and six months after the breach, this cybersecurity incident also involved the personal information of former District employees. The District had previously admitted earlier this year the security breach involved the disclosure of the medical information of students.
For some reason, the number of individuals affected by this breach has still not been fully disclosed by the District but is now likely in the tens of thousands of individuals as it involved many former and current SDUSD employees.
The district “determined that the stolen data may include [a person’s] name, Social Security number, health plan information, and/or direct deposit information,” the letter stated. Medical information has also been implicated for at least some individuals, but it was not clear from the description of the breach at this time how many people have had their health information compromised.
The letter included in SDUSD’s filing states that the District has “implemented additional security measures to enhance our existing cybersecurity protocols” but doesn’t specify what those measures include. Also, SDUSD confirmed in the letter that it would offer a complimentary one-year membership to an identity monitoring service for victims of this breach, significantly less than what the law may require.
According to the latest announcement, people with questions about the breach can call the District’s dedicated call center at 1-855-504-4525 between 8 a.m. and 5 p.m. Monday through Friday. Anyone who suspects they might have been affected by this breach but has not received a letter by June 15 should also call for more information.
San Diego Unified School District Data Breach
According to NBC San Diego, SDUSD sent its employees and student families the first email on December 1, 2022, informing them of the breach.
SDUSD then reported the breach to the California Attorney General’s office on December 12, 2022, and sent a second email to its employees and student families regarding the breach on December 14, 2022. This newest letter is the third wave of data breach letters being sent out by the District.
Dennis Monahan, the District’s Executive Director of Risk Management & Captive Insurance, originally said, “while the investigation is still ongoing, that certain files stored on San Diego Unified systems were taken by an unauthorized party.”
The investigation to this point “determined that the data involved includes personal information of many current and former employees who have been employed with the district since 2020,” Monahan added.
SDUSD has released very few details about the actual incident but only said that “critical systems” were still operational and there was no impact on their safety and emergency mechanisms at any schools or offices.
California Data Breach Laws Protect You
If you or your student received a Recent Notice of Data Breach from the San Diego Unified School District, you may be entitled to up to $1,000 or your actual damages, whichever is greater, depending on the nature of the data in question.
Participants in data breach lawsuits can recover damages, injunctive relief (to ensure that school districts have reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring. This is because California has laws that specifically protect your personal information, such as:
- The Student Online Personal Information Protection Act (SOPIPA) requires that every online service used primarily for K 12 school purposes must maintain reasonable security procedures and practices to protect student personal information from unauthorized access, destruction, or disclosure.
- The California Confidentiality of Medical Information Act (CMIA) requires that every healthcare provider and healthcare service plan who maintains medical information do so in a way that preserves its confidentiality.
Private Data at Issue is Vulnerable to Misuse and Abuse for Years
If certain types of personal information, like medical information and names, are left unencrypted and are accessed, stolen, or hacked because the District didn’t fulfill its duty to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the SOPIPA and the CMIA.
Medical information (which may be covered depending on the nature of the health plan information at issue) may be covered by the CMIA and, if applicable, provides for an award of statutory damages.
Cyber-crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is under $20 per record, depending on the type of information, according to Privacy Affairs Dark Web Index of 2021 (Source: E. Harrell, Victims of Identity Theft, 2018. US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, 2021).
Medical records that may be related to health plan information are even more valuable, as they potentially provide access to expensive health care along with other forms of identity theft. Thieves may choose to wait years to capitalize on compromised personal data, particularly Social Security numbers. This is particularly true for students, where the information can be inventoried for years.
The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities. Personal data about minor students, which may include special education information and other highly sensitive materials, should be robustly protected by school districts.
The sensitive nature of this data means that “student information is something that must be handled with great care. [. . . ] As the devices we use each day become increasingly connected, it’s critical that we implement robust safeguards for what is collected, how it is used, and with whom it is shared.” (Source: Kamala Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016)).