On January 19, 2022, the Litchfield School District in New Hampshire notified the state’s Attorney General of a data security/privacy incident that seems to have previously escaped this site’s awareness. Let’s correct that now. From their report:
On December 6, 2021, the District discovered that an individual with authority to access student records exceeded their authority by sharing certain student records to their personal email account. This occurred on or around September 14, 2021 by adjusting privacy settings related to the records such that others within the School District could have accessed the records between September 14, 2021 and December 8, 2021.
The investigation did not uncover any other instances of improper access to the records or misuse of the data, and
Based on a review of the affected documents, it does not appear that data such as Social Security numbers, financial account information, or driver’s license numbers were implicated in this breach. However, the breach impacted various special education documents, which may include student names and one or more of the following: dates of birth, addresses, and SASID numbers.
Approximately 630 New Hampshire residents, students of the District, may have been affected by this incident of which 198 fell into the group of special education documents involved. The remaining students’ compromised data included certain electronically stored school assignments, but those files or records did not contain similarly sensitive information.
Notice was provided to the 198 residents on December 28, 2021. The remaining residents were to be notified on or about January 21, 2022.
The notification did not explain why the employee transferred the files to personal email — was it to enable them to continue completing work at home? Given the nature of the information and the fact that the district did not report disciplining or firing any employee but (merely) “Reminding staff of the School District’s privacy and security practices and expectations,” it seems like the employee violated policies and procedures and left the door open for a more major breach that thankfully, didn’t happen.