We don’t see breach notifications from k-12 districts that often, but here’s one submitted to the California Attorney General’s Office from the Mt. Diablo Unified School District:
On April 27, 2017, when parents tried to access their student’s data through the HomeLink Portal, they were able to view information, as described below, of a student other than their own. The period of time parents and students had inadvertent exposure to another student’s information was one hour—between 8:00 p.m. and 9:00 p.m. and the data of approximately 600 families was exposed. The District has no reason to believe that any personally identifiable student information was accessed by an unauthorized person; however, it was possible during this brief window. Once the District learned of the problem, we immediately took HomeLink offline and began working with our Student Information System provider (“Eagle Soft”) and with Microsoft. Eagle Soft and Microsoft have identified the malfunction as a caching problem that has now been repaired. Please note that the District is operating HomeLink as intended by Eagle Soft and Microsoft. The error occurred due to a software malfunction that was outside of the District’s control.
What Information Was Involved?
The information that was accessible during the one-hour timeframe of inadvertent access was: address; home phone numbers; immunization records; required medication; medical history; grades; class schedules; test scores; parent email addresses; attendance; and transcripts.
Read the full notification letter here (pdf).