[BreachExchange] Bay Village High School staff member retiring after private records released for entire senior class

Fri Dec 10 11:10:47 EST 2021

https://fox8.com/news/bay-village-high-school-staff-member-retiring-after-private-records-released-for-entire-senior-class/

BAY VILLAGE, Ohio (WJW) – The Bay Village City School District gave an
update Thursday after private student records for the entire senior class
were released last month.

A Bay High School staff member intended on emailing seniors and their
parents a copy of their transcripts back in November, according to a letter
to parents.

Instead, the email sent out to families included incomplete transcripts for
all of the senior class, including students’ names, addresses, phone
numbers, grades, permanent student ID numbers, state test scores and
college readiness test scores. According to the district, this was human
error, not a technology breach.

The district said the staff member in question was immediately placed on
paid administrative leave. That staff member has since announced their
retirement, which was approved by the board of education on Monday.

After the breach happened, interim superintendent Char Shryock said the
district took the following steps:

Immediately upon notification that the email had been sent, pulled back the
email and link to the attached pdf file from all student/district email
recipients.
Initiated steps to notify students of the need to change passwords, then
monitored accounts to ensure passwords had been reset.
Searched student Google accounts for the pdf file and deleted any copies
that had been saved.
Worked with School Messenger, the component within PowerSchool that allows
them to send email messages to students and families, to ensure the link
was disabled and the file was no longer available for download.
The district reported it to the U.S. Department of Education’s Federal
Student Privacy Policy Office, who responded with the following statement:

“We want to acknowledge and thank you for your November 23, 2021
self-report of the data breach incident that occurred at Bay High School.
We appreciate when institutions take a proactive approach by instituting a
corrective action plan based on their assessment of their institution’s
data breach while concurrently providing notice to the Department so that
we may better address any complaints received relating to your
institution’s breach incident. Based on the information you provided within
the Self-Report, we have determined that we need take no action at this
time as your remedial actions appropriately address your incident.”

The district also reported it to the Ohio Department of Education, who
released the following statement:

“You’ve handled everything as it should be done and there is nothing from a
state perspective that needs to happen.”

Social security numbers, discipline information, special education plans
and financial, medical and insurance information wasn’t included in the
email.

“Please know that I take student data privacy seriously, and I am
continually looking for ways to ensure this does not happen again. My
sincere apologies to all who were affected by this very unfortunate
situation. I am here to answer your questions,” Shryock said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211210/cf86ce7c/attachment.html>