[This article was updated January 11, 2022, to include more FERPA violations.]FCPS has been releasing information about students without their consent for years. This article details FCPS FERPA violations between 2017 and 2021. It includes breaches related to records FCPS provided to me, breaches related to my own family (and about which I filed state complaints), breaches other FCPS families shared with me, as well as the hacking of FCPS that occurred in 2020. In addition, it includes FCPS noncompliance related to it failing to provide parents an opportunity to inspect and review their student’s education records and/or review the education records within regulatory timelines. In a perfect world, there’d be no reason to mention this article will be updated in the future. In a realistic world, where past is prologue, the expectation is that updates might never stop.
Please join me in asking Superintendent Brabrand to finally address FCPS FULLY securing the private information of its staff and students. You can email him at email@example.com
FY15-17:In an internal FCPS document titled “Hot Topics“, dated December 11, 2017, which covers the 2015-17 period, FCPS stated the following about Silverbrook Elementary School:
A SLP asked all sixth grade speech students to stand to be recognized during the EOY assembly in front of entire school. Proposed resolution to parents and they declined. CAP required training for SES and letter of assurance. Maintain student confidentiality, particularly about sped status. Provided FERPA/confidentiality training to Silverbrook.In the same “Hot Topics” document, FCPS stated:
Confidentiality of student records is a significant concern across the division. FCPS was found out of compliance by VDOE due to a confidentiality breach at Silverbrook ES, and we anticipate a noncompliant finding by VDOE again in the pending state complaint regarding Silverbrook and South County MS.Click on image above to view document in full. I redacted names of students before posting.
Related Reading: Hot Topics and “FCPS Reports List 400+ Special Education Violations; VDOE Refuses to Investigate“
6.10.16 FERPA Request:Within its response to a 6.10.16 FERPA request I submitted, FCPS provided me the special education screening committee schedule, which listed two children from West Springfield Elementary school, who aren’t my own.
7.21.16 FERPA Request:Within its response to a 7.21.16 FERPA request I submitted, FCPS provided me information about two staff members at Silverbrook Elementary School.
2.3.17:Former South County Middle School teacher Christina Schneider bcc’d her husband on an email that contained confidential student information. Virginia Department of Education (VDOE) found FCPS in noncompliance for breach of privacy.
2.28.17:Former South County Middle School teacher Christina Schneider bcc’d her husband again on an email that contained confidential student information. VDOE found FCPS in noncompliance for breach of privacy.
3.17.17Jim Burgess, a former senior specialist in OSEPS, breached the privacy of a student and parent and then refused to provide the parent the name of the individual to whom Jim provided information about her and her child. Read: FCPS Office of Special Education Procedural Support Has a History of Privacy Breaches
6.7.17:Former Silverbrook Elementary School teacher Wilson Johnson emailed Principal Melaney Mackin that he “heard through the grape vine that this family has been giving you a bit of trouble”. Melaney Mackin responded to him, indicating that she would speak with him. The family in question didn’t provide the teacher information, did not provide him permission to talk about their child, and did not give Melaney Mackin permission to talk about the child with an individual who wasn’t even an employee of the school. Yet, evidently a grapevine of information was flowing from Silverbrook Elementary School. (As you scroll through this article, note how many times Silverbrook is listed.)
6.8.17 FERPA Request:Within its response to a 6.8.17 FERPA request I submitted, FCPS provided me information about eight students at Silverbrook Elementary School and two students at unspecified schools.
Click on image above to view document in full. I redacted names of students before posting.
Thank you for taking the time to email and document your concerns. I understand how frustrating many of these circumstances can be and look forward to getting the appropriate staff involved to review the issues to date and make a determination of the necessary plan going forward.
10.27.17:After emailing FCPS Superintendent Scott Brabrand, I was forwarded to former Chief Academic Officer Francisco Duran. I emailed, asking him to look into the privacy violations.
- 10.31.17: Francisco Duran responded to my 10.27.17 email:
As you requested, I have looked into your concern about confidential student information disclosures. Staff within the Department of Special Services are aware of two situations related to your son where there was a breach of confidentiality. The recent one of student progress monitoring data being shared through your FERPA release is an inadvertent situation where other student names were not redacted. The second situation was the incident of the teacher inadvertently emailing her spouse sensitive scheduling information. We believe these two incidents to be isolated in nature and not indicative of a systemic problem related to confidentiality. However, in response to these two events, we will be developing tighter procedures around division wide FERPA practices as well as initiating additional training on the requirement to maintain student confidentiality. FCPS takes student confidentiality seriously. Please know that the South County Middle School staff, including the central staff that provides support, certainly want the best for Max and his success.That same day, I responded to Francisco, letting him know he’d been misinformed. He didn’t respond.
Click on image below to view document in full.
1.16.18 FERPA Request:Within its response to a 1.16.18 FERPA request I submitted, FCPS provided me information about a student, at an unidentified school, his struggles, and the log-in/password information for a program he was using. They also provided special education screening information for a student at South County Middle School.
1.17.18 FERPA Request:Within its response to a 1.17.18 FERPA request I submitted, FCPS provided me an unredacted copy of the internal FCPS document titled Hot Topics Region 4, which lists the names of other students, their lawyers, medical conditions, money paid, etc. and in which FCPS admits that it knows it has confidentiality and other issues. The document specifically states:
Confidentiality of student records is a significant concern across the division. FCPS was found out of compliance by VDOE due to a confidentiality breach at Silverbrook ES, and we anticipate a noncompliant finding by VDOE again in the pending state complaint regarding Silverbrook and South County MS Schools need additional training on confidentiality of student information. While best practice is reinforced by IT, Division Counsel, and OSEPS, does not seem to be followed in day-to-day interactions. Additional training will be offered division wide, including at to Silverbrook and South County MS as part of the state complaint process corrective action. It may make sense to offer training to a wider audience.
SLP asked all sixth grade speech students to stand to be recognized during the EOY assembly in front of entire school. Proposed resolution to parents and they declined. CAP required training for SES and letter of assurance. Maintain student confidentiality, particularly about sped status. Provided FERPA/confidentiality training to Silverbrook.Within the same response to my FERPA request, it provided me medical leave information about a South County Middle School Teacher. Related Reading: Hot Topics and “FCPS Reports List 400+ Special Education Violations; VDOE Refuses to Investigate”
1.29.18:Superintendent Scott Brabrand responded to my concerns in a letter to Congresswoman Barbara Comstock. This letter actually arrived just days before the “Hot Topics” document mentioned at the start of this article. While my FERPA request was dated earlier in the month, FCPS didn’t provide its response until later. In addition, there was a delay between when Congresswoman Comstock’s office received Scott’s letter and when her office sent it to me. Within the letter, Scott stated:
Ms. Oettinger shared her concerns about the Family Education Act (FERPA) violations by several FCPS school-based employees. These issues were addressed with each employee by their supervisors, following FCPS protocol for employee discipline. In addition, staff from the Department of Special Services met with the school team to review the violations and to develop a plan to ensure these violations are not repeated.It was ironic (and disturbing and frustrating) to receive Scott’s statement about my privacy concerns being addressed, only to receive another violation a few days later, in the form of the internal “Hot Topics” document stating, “Confidentiality of student records is a significant concern across the division.”
Click on image above to view document in full.
11.7.18:I had an in-person meeting with FCPS Superintendent Scott Brabrand, which lasted about an hour and a half. During our meeting, I mentioned that as of that date I had been provided information on over 30 students and staff via FERPA and/or FOIA requests, even though I didn’t request such information. Scott replied:
“I don’t know about that.”I stated again what I had and gave him some of the documents that I brought with me. He then said that his team advised him it was more like TWO. At that point, I had sent dozens and dozens of emails to Scott, his staff, and the school board. Scott’s answer confirmed 1) that Scott’s staff was not sharing all information with him; 2) Scott’s choice was to believe his staff, rather than investigate facts provided by a parent; and/or 3) Scott was aware of FCPS privacy breach problems and was trying to deny them, none of which are good options.
2019The names and grades of 12 students at Longfellow Middle School are included in this breach. All of the students were in the special education program at Longfellow in the 2018–19 period. According to the FCPS family that forwarded this document to me (in March 2021), a former administrator at Longfellow Middle School provided it to them within a collection of other documents in 2019. Related Reading: “FERPA Violation: Longfellow Middle School Students’ Privacy Violated”
5.31.19:South County High School teacher Chris Walton forwarded confidential information about my son to Ms. Davis at Fairfax County Federation of Teachers (FCFT).
- 10.16.19: Assistant Superintendent Jay Pearson emailed me and stated, I am following up on the concern you raised, both in email and during our phone conversation, that a staff member sent information to an association representative that included personally identifiable information about [redacted]. We reviewed the information forwarded to the association representative, and we agree that it should not have been forwarded.
6.4.19:South County High School teacher Chris Walton forwarded confidential information about my son again to Ms. Davis at Fairfax County Federation of Teachers (FCFT).
- 10.16.19: Assistant Superintendent Jay Pearson emailed, I am following up on the concern you raised, both in email and during our phone conversation, that a staff member sent information to an association representative that included personally identifiable information about [redacted]. We reviewed the information forwarded to the association representative, and we agree that it should not have been forwarded.
Click on image above to view document in full.
August 2019:A Silverbrook ES teacher failed to secure private information. Her daughter took a picture of private information and posted it to social media.
- 8.21.19: Assistant Superintendent Jay Pearson emailed, â€œI personally visited the school yesterday to address this issue. While there is an explanation as to how [redacted] was shared inappropriately, it is not excusable and not an acceptable manner for [redacted] to be shared. There will be a staff training in September on privacy and confidentiality of student information.”
10.1.19:South County High School Principal Gary Morris emailed confidential information about a student to Silverbrook Elementary School Principal Melaney Mackin. He didn’t check the email address before sending the email. VDOE found FCPS in noncompliance for breach of privacy.
- 10.24.19, 7:25 PM: South County Principal Gary Morris emailed me, â€œI am writing to inform you that I was alerted today by a parent who picked up documentation from my office, that within her documentation I mistakenly included a document that had identifiable information of [Student] within it. This was totally my mistake as I somehow picked up a document with [Student’s] information on it and packaged it with the information for the other parent.â€
- 10.24.19, 8:04 PM: A South County High School Parent emailed me to 1) make me aware my son’s privacy had been breached and 2) advise me that she’d already contacted the school about the breach. She had submitted a FERPA request, and in response to her request, South County High School provided her 76 pages of information not related to her daughter, 12 of which were related to my son. “A document” is not quite the same as 12 pages.
11.25.19Hearing Officer Frank Aschmann denied FCPS seven subpoena duces tecums in relation to the Due Process case related to a FCPS student. FCPS still obtained records and didn’t return them until 12.10.19, even though they were subject of Motion to Quash. FCPS did not make [Parent] aware that it had obtained these records. She was made aware after she did a request for detailed billing sheets from FCPS outside counsel Blankingship & Keith.
4.8.20Silverbrook Elementary School Principal Melaney Macking breached the privacy of one of my kids.
4.23.20An Orange Hunt Elementary School teacher sent a group email to parents of students receiving special education services. In doing so, she violated the privacy of all the students and families, because school divisions are supposed to maintain the privacy of who is receiving special services. FCPS argued that, because the email addresses and the email itself didn’t include specific names, that it did not violate privacy. However, anyone with a PTA directory, classroom phone tree, and so on, would be able to sort out which email belongs to which family, and thus personally identifiable information was released.
May 2020Toward the end of the 2019-20 school year Silverbrook Elementary School created a public sign-up sheet for medication pick up. The sign-up form was accessible by anyone with the link, which turned it into a public list of children taking medication. Related Reading: “Dear Silverbrook ES: A Public List of Students Who Take Medicine is Not a Good Idea“.
6.25.20VDOE issued a Letter of Findings in which it found FCPS in noncompliance related to FERPA regulation again. VDOE specifically stated:
“LEA failed to provide Complainant/Parent an opportunity to inspect and review Student’s education record within regulatory timelines.”
6.26.20A day after being notified that VDOE found FCPS in noncompliance again, Jane Strong, director of the Office of Special Education Procedural Support, sent an email that states:
Click on the image below to view it at a larger size.
August 2020FCPS provided a parent spreadsheets related to over two dozen students attending Willow Oaks Elementary School. One spread sheet students who have 504 plans and another is titled “Health Conditions” and shares students’ ID numbers, their classes, their grades, their gender, and their health conditions. Read: FERPA Violation: Willow Springs Elementary School Students’ Privacy Violated – Special Education Action
9.11.20Hours after news outlets were already covering the story, FCPS announcement, that “ransomware was placed on some of [FCPS’] technology systems.” FCPS later admitted that the hackers Maze stole private information from FCPS. Drew Wilder of NBC News Channel 4 in Washington, D.C., confirmed that some of the stolen information included “personal information that includes letters regarding disciplinary actions against 15 different students and their grades”.
June through October 2020FCPS and two law firms with which it works, Sands Anderson and Blankingship & Keith failed to secure personally identifiable information on seven occasions in just a four-month period during 2020. During this period, four due process complaints were filed on behalf of four different children. Their parents requested that their children’s full records be provided. They didn’t request unredacted information about other children (or adults). However, that’s what they received. Related Reading: “Fairfax County Public Schools, Sands Anderson, and Blankingship & Keith Breach Privacy During Due Process“.
Family #1FCPS counsel Sands Anderson provided the family numerous unredacted documents related to children attending Willow Springs Elementary School, to include personally identifiable information about students with 504s and students with health conditions. Related Reading: FERPA Violation: Willow Springs Elementary School Students Privacy Violated
Family #2FCPS counsel Blankingship & Keith sent information related to a subpoena to the wrong family.
Family #3FCPS gave this family information about students receiving special education services, who are in the class of 2023 at Robinson Secondary School. The list provides full names, student identification numbers, classes, interventions, recommendations, and class teachers and periods for the students. Related Reading: Robinson Secondary School Privacy Breach: FCPS Released Names, ID Numbers of Students Receiving Special Education
Family #4This one is related to a due process complaint I filed. Between the time I filed the complaint and when the hearing officer submitted her final decision, the following breaches occurred:
- Former Blankingship & Keith lawyer Wesley Allen sent me thumb drives that supposedly held my son complete record. He later recalled the thumb drives because he said the included unredacted information about other students. After being called out on this breach, Wesley referred to himself as a “conduit”, which I interpreted as him throwing FCPS under the bus.
- Former Blankingship & Keith lawyer Wesley Allen contacted me about a student who is not one of my children.
- FCPS, via Blankingship & Keith, provided personal home addresses, emails, and phone numbers for FCPS staff within its evidence books.
- FCPS Dawn Schaefer forwarded me a transcript for another family due process pre-hearing conference.
August 2020FCPS breached the privacy of over two dozen students attending Willow Oaks Elementary School. FCPS provided a FCPS parent documents related to her child and the mother found two spreadsheets listing personally identifiable information about children. One spread sheet students who have 504 plans and another is titled “Health Conditions” and shares students’ ID numbers, their classes, their grades, their gender, and their health conditions. Read: FERPA Violation: Willow Springs Elementary School Students’ Privacy Violated – Special Education Action
9.11.20FCPS announced that it had been hacked and that Maze stole private information from FCPS, to include “letters regarding disciplinary actions against 15 different students and their grades.”
Dawn Schaefer, FCPS’s coordinator of Due Process and Eligibility, provided a parent a link to numerous documents, many of which are about students other than her own.
The documents includes a spreadsheet that lists over 70 students attending Robinson Secondary School, who receive special education services. In addition to identifying the students as students who are in the special education program, the spreadsheet provides the first and last names of the students, their student ID numbers, their classes, and their teachers. Read: Robinson Secondary School Privacy Breach: FCPS Released Names, ID Numbers of Students Receiving Special EducationAfter the breach was made public on this site (I redacted personally identifiable information about the students), FCPS contacted at least one of the families about the breach.
10.7.20Kelly O’Connell, a FCPS procedural support liaison in OSEPS, breached the privacy of student. Read: FCPS Office of Special Education Procedural Support Has a History of Privacy Breaches
10.27.20Dawn Schaefer, then-coordinator for due process and eligibility in OSEPS, breached the privacy of student and the student’s family. Read: FCPS Office of Special Education Procedural Support Has a History of Privacy Breaches
5.6.21Jane Strong, director of the Office of Special Education and Procedural Support breached a student’s privacy when she emailed six documents related to the student to individuals who should not have received them. This student’s privacy was previously violated when Dawn Schaefer forwarded me a due process hearing transcript related to the student. Related Reading: “Oops! . . . They Did It Again!; Fairfax County Public Schools Continues to Breach Student Privacy” and “Fairfax County Public Schools, Sands Anderson, and Blankingship & Keith Breach Privacy During Due Process”
5.21.21Just four days after FCPS spoke with USDOE SPPO, SCHS staff member Tina Wrubluski violated the privacy of numerous students when she shared her computer screen during an IEP meeting. Although numerous people kept trying to obtain her attention, Tina continued working away, making document folders related to specific students available for viewing. Related Reading: “South County High School Breaches Student Confidentiality Again”
“We therefore find the that the District take specific actions, these actions include training staff. Specifically, the District failed to obtain prior written consent before disclosing education records to another parent. We also have evidence that the District does not have a policy that would violate FERPA on a regular basis. The District has required school officials complete a FERPA training to ensure that the scope and limitations of FERPA are adhered to. The District completed such training on November 12, 2019, which satisfies the requirements of this Office. Concluding, this Office has received assurance from the District, therefore, we are closing the investigation as the District has completed the required corrective actions.”I made the advisor aware of the breaches that took place after the 11.12.19 training, to include the breach that occurred four days after she spoke with FCPS on 5.17.21.
Click on the image below to view it at a larger size.
6.24.21June 24, 2021, Dawn Azennar, a procedural support liaison, sent an email and a letter about a FCPS student to the wrong person (a FCPS parent in this case). Although the student isn’t mentioned by name, there’s a fair amount of information that would make tracking down the student and family doable. I’ve deleted the student’s birthday and the name of the student’s previous school in the document below. Craziness: This isn’t the first time FCPS has accidentally emailed this same parent. Just over two month’s ago FCPS sent the parent an internal email in which FCPS admitted fault in relation to an investigation the Office of Civil Rights (OCR) initiated after I filed an OCR complaint. (Read “Office of Civil Rights Opens Investigation of Fairfax County Public Schools – Special Education Action“.) Related Reading: “Oops! . . . They Did It Again!; Fairfax County Public Schools Continues to Breach Student Privacy”
6.29.21June 29, 2021, Fairfax County Public Schools (FCPS) breached the privacy of thousands of students attending South County High School, Hayfield Secondary School, Edison High School, West Potomac High School, Lake Braddock Secondary School, and FCPS Online Campus. The breach includes the students’ names, their FCPS identification numbers, their FCPS email addresses, the schools at which they are enrolled, the names of their parents and/or guardians, and the email addresses of their parents and/or guardians. June 29, 2021, FCPS provided me a thumb drive with documents it stated were in response to FERPA requests I submitted. The thumb drive includes 12 unredacted reports with personally identifiable information related to students and their families. I did not request these reports or any of the personally identifiable information. I went back through the thumb drive provided by FCPS and found another FERPA Violation. Related Reading: “Fairfax County Public Schools Breaches Privacy of Thousands of Students; FERPA Noncompliance Continues” and “But Wait, There’s More: Fairfax County FERPA Violations Continue”
September 2021FCPS breached the privacy of a Chesterbrook Elementary School student and family. FCPS included an unredacted document in its response to another parent’s FERPA request and that parent sent it to me. The document is a student’s care card. Each year FCPS asks parents to submit a care card. The cards request home, parent, and contact information, as well as medical issues, prescription medications, medical professionals the child is seeing, and so on. Related Reading: “Fairfax County Public Schools Violated Privacy of Chesterbrook ES Student and Family”
9.10.21FCPS breached the privacy of staff and students in its response to a FOIA request. Related Reading: “Fairfax County Public Schools Leaked Its Own Legal Invoices”
9.13.21FCPS breached the privacy of staff and students in its response to a FOIA request.
9.30.21FCPS sued me and Debra Tisler after I published redacted versions of some of the documents released in FCPS’s 9.11.21 and 9.13.21 FOIA responses, and then led the public to believe its lawsuit was a preventative measure to stop additional dissemination of personally identifiable information related to children and personnel files. Although the 1,316 pages released did breach the privacy of students and staff, the majority of the documents were not related to students and personnel files. On this date, a scheduling judge ordered that the documents not be disseminated and I was forced to remove documents already published, even though they were not PII documents about children and personnel. Within the first two weeks, FCPS spent over $115,000 on this lawsuit. Related reading: “Update on Fairfax County School Board’s Legal Action Against Parents” and “Fairfax County School Board Spent Over $115,000 on Lawsuit it Tried to Make Disappear; More Legal Invoices to Come”
10.8.21Lori Hershey, a FCPS central office staff member violated the privacy of a student when she forwarded a home instruction acknowledgement letter for the student to the wrong family. The family to whom the wrong letter was sent was never advised to whom the letter related to their own child was sent. Related Reading: “FCPS Office of Special Education Procedural Support Has a History of Privacy Breaches” and “FCPS at Fault for Two More Privacy Breaches; Released Mental Health Information About Almost 60 Thomas Jefferson High School Students”
10.28.21Thomas Jefferson High School violated the privacy of almost 60 students when it sent a failed “mail merge” to the parents of the students, with a letter stating the parents were “in receipt of this letter because you indicated on the school health form that your child has an attention deficit or other mental health condition of concern.” Related Reading: “FCPS Office of Special Education Procedural Support Has a History of Privacy Breaches” and “FCPS at Fault for Two More Privacy Breaches; Released Mental Health Information About Almost 60 Thomas Jefferson High School Students”
11.16.21Debra Tisler and I prevailed in court after FCPS sued us. Related Reading: “Parents and First Amendment Prevail; Judge Rules Against Fairfax County School Board” and “What is Fairfax County Public Schools Trying to Hide? These 1,316 Pages of Clues Provide Answers”
11.26.21VDOE found FCPS in noncompliance for FERPA violations related to FCPS’s 9.10.21 and 9.13.21 breaches and stated: “. . . we are concerned that continuing complaints in this area could signal larger issues in the school division’s response to matters concerning FERPA or an issue with insufficient training and/or procedures. Additional actions addressed through the state educational agency’s general supervision authority will be forthcoming.” Related Reading: “Fairfax County Public Schools Found in Violation of FERPA; Virginia Department of Education Refuses to Find FCPS at Fault for Systemic Noncompliance”
SEA-STARS: FCPS Intentionally Disabled Access TrackingJuly 20, 2020, a due process hearing officer requested information about FCPS’ Special Education Administrative System for Targeting and Reporting Success (SEA-STARS) program, “specifically SEA-STARS’ ability to capture and maintain logs of specific data such as login information, record access and changes to student data and FCPS retention of such log records over time. Among other things, FCPS advised the hearing officer:
SEA-STARS is a secure Commercial off the Shelf (COTS) product that was acquired as a result of a competitive process from Edupoint Systems, Inc. (Edupoint) and utilizes the Synergy Special Education System (SES) platform developed and owned by Edupoint. . . . The Synergy SES product does include the ability to track login information, record access, and changes to student data in a very detailed way. FCPS tested this functionality more than ten years ago and found that due to the volume of transactions and the associated overhead generated on the SEA-STARS servers, this functionality would seriously degrade the operational performance of the system, largely making the system unusable for authorized users. In addition, this functionality is not required under the Individuals with Disabilities Education Act (IDEA) or the Family Educational Rights and Privacy Act (FERPA). The decision was made that logging would not be enabled in the FCPS SEA-STARS system. There has been no change to this decision over the years, and logging has never been enabled in the FCPS SEA-STARS production environment.
Each participating agency must keep a record of parties obtaining access to education records collected, maintained, or used under Part B of the Act (except access by parents and authorized employees of the participating agency), including the name of the party, the date access was given, and the purpose for which the party is authorized to use the records.So, in addition to repeatedly violating the privacy of its students and staff over and over and over again, FCPS isn’t tracking access to sensitive information related to children receiving special education. *After going through this so many times, I realized that FCPS doesn’t send out notices of breaches, a record of someone having access to their child’s information, until after I or other parents make FCPS aware of the breach. To date, I’ve been made aware of more breaches of other parents being provided information about children other than their own. Am I worried about hackers accessing FCPS’ system? Yes. Am I surprised? No. If your own team is at fault for repeat confidentiality breaches (in addition to other repeat noncompliance in other areas), it stands to reason there are holes all over your system.
Please join me in asking Superintendent Brabrand to finally address FCPS FULLY securing the private information of its staff and students. You can email him at firstname.lastname@example.org