Add Midland University to any list of secondary educational institutions hit by ransomware. From their recent notification:
On January 18, 2021, Midland discovered that its network had been impacted by a sophisticated malware attack that encrypted certain computer files. Midland immediately launched an investigation, with the assistance of third-party computer forensic specialists, to determine the nature and scope of the event and notified federal law enforcement. Midland also worked quickly to: (1) secure its systems; (2) restore access to the information so Midland could continue to operate without disruption, and (3) investigate what happened and whether the event resulted in any unauthorized access to, or theft of, information by the unknown actor. Through the investigation, Midland determined that the unknown actor gained access to certain files on January 18, 2021 and downloaded a subset of those files.
[…]
The information that could have been subject to unauthorized access for Iowa residents includes name, address, Social Security number, driver’s license or state identification number, and financial account information.
So once again, it appears that it takes an entity one year from discovery of a breach to a notification. Unlike HIPAA which has (at least on paper), a 60-day deadline from discovery to notification, federal education law such as FERPA has no such requirement.
You can read the full notification at the Iowa Attorney General’s website. The notice to the state indicates that 645 Iowans were being notified. It does not reveal the total number of people impacted, but the university’s report to the Maine Attorney General’s office indicates that a total of 13,716 people were potentially affected.