In a letter sent out to employees on February 24, 2023, the Sweetwater Union High School District (“Sweetwater”) admitted for the first time that it was the subject of a previously undisclosed “cybersecurity incident” that took place on or about February 12, 2023.
The number of individuals impacted by this security breach has not been fully disclosed, but it could be in the thousands of individuals. Sweetwater’s internet and student services portals have been shut down for over two weeks. It may be another week before its computer systems have been fully restored.
It also has been reported that the superintendent of the Sweetwater Union High School District sent the following email to parents:
Dear Sweetwater Parents and Guardians:
On February 12, 2023, we became aware of an incident that has impacted the availability of certain systems, including email, within our network. We immediately launched an investigation. As part of that investigation, we will be shutting down internet access to certain of our systems. You will still be able to access some Sweetwater applications from systems not connected to our network, such as home computers or other personal devices connected to the internet at home or outside of the school district buildings. We understand this will be inconvenient, but we are focused on securely restoring our systems as quickly and as safely as possible. We are working quickly to determine what occurred in addition to restoring services. While our investigation is in the early stages, to the extent the investigation determines that any individuals’ personal information was accessed or acquired, we will communicate directly with those individuals. We appreciate your support during this challenging time.
While the pandemic has increased our overall reliance on technology, we will continue to be proactive and to consult with top public and private sector technology and cyber-security professionals to ensure we continue to be at the forefront of any necessary changes. These actions are necessary to ensure an excellent educational experience for all of our students, as well as our staff and the community.
Sincerely,
Dr. Moises Aguirre
Superintendent
Sweetwater currently asserts that the incident did not impact student information but said that while it does not have evidence that employee information was compromised, “it is possible that may change as our investigation continues.” It may be weeks before Sweetwater can advise employees if their data has been compromised, leaving employees in the dark about whether to take action at this time.
In the interim, Sweetwater is offering its employees a years-worth of credit monitoring and data protection services from Equifax.
Further, it is unclear from the District’s response whether students and parents, or guardians who interacted with Sweetwater teachers and other district employees through email or other electronic communications may have had those communications compromised. To date, no data protection services are being offered to District families.
According to a class action investigation, Sweetwater emailed its employees on February 24, 2023, informing them vaguely of this breach. Sweetwater previously would not even admit it was subject to a cyber-attack and has still released very few details about the actual incident.
There are approximately 36,000 students in the Sweetwater District and thousands of employees throughout San Diego County. According to its website, “The district’s 32 campuses are located in the cities of Chula Vista, Imperial Beach, National City and San Diego, including the communities of Bonita, Eastlake, Otay Mesa, San Ysidro and South San Diego.”
Special California Data Breach Laws Protect You
There is an ongoing class action investigation over this data breach incident. If you are a Sweetwater employee or have interacted electronically with any District teachers or employees, depending on the data that may have been compromised, you may be entitled to up to $1,000 or your actual damages, whichever is greater.
Participants in class action data breach lawsuits can recover damages, injunctive relief (to make sure that school districts such as Sweetwater have reasonable security practices in place to protect sensitive data from being leaked again), and anything else a court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.
California has laws that specifically protect your personal information, such as:
- The California Confidentiality of Medical Information Act (CMIA) requires that every healthcare provider and healthcare service plan who maintains medical information do so in a manner that preserves its confidentiality. Medical information (which may be covered depending on the nature of the health plan information at issue) may be protected under the CMIA and, if applicable, provides for an award of statutory damages of $1,000.
- Article I, Section I of the California State Constitution provides that every person in the State of California has an inalienable right to privacy. This includes a legitimate expectation of privacy in your personal and medical information. Under the California Constitution, all state residents are entitled to the protection of this information against disclosure to unauthorized third parties.
The Data at Issue Can Be Vulnerable and Subject to Misuse and Abuse For Years
Cyber-crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is under $20 per record, depending on the type of information, according to Privacy Affairs Dark Web Index of 2021 (Source: E. Harrell, Victims of Identity Theft, 2018. US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, 2021).
As part of a class action investigation, if certain types of personal information, like medical information, Social Security numbers, and names, are left unencrypted and are accessed, stolen, or hacked because Sweetwater didn’t fulfill its obligation to implement and maintain reasonable security, affected California residents can sue to protect their rights.
Medical records related to employee health plan information are particularly valuable, as they potentially provide access to expensive health care and other forms of identity theft. Thieves may wait years to capitalize on compromised personal data, particularly Social Security numbers. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.
“As the devices we use each day become increasingly connected, it’s critical that we implement robust safeguards for what is collected, how it is used, and with whom it is shared.” (Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016)).