Worried About Hackers? FCPS has Been Breaching Students’ and Staff’s Privacy for Years

For years, Fairfax County Public Schools (FCPS) has been aware of its failures to secure private information.

Hackers breaching its system is another breach in a long line of privacy breaches and failures to secure information.

This evening, 9.11.20 (hours after news outlets were already covering the story), FCPS announced, that “ransomware was placed on some of [FCPS’] technology systems.”

According to Drew Wilder of NBC News Channel 4 in Washington, D.C., there is more than ransomware to be concerned about:

The internet hacking group Maze claims it stole private information from Fairfax County Public Schools. To prove it, Maze has already posted some of it online. . . . News4 has viewed some of the documents posted online. One is nothing more than an internal training document from several years ago. But there’s also personal information that includes letters regarding disciplinary actions against 15 different students and their grades.

And yet . . .

FCPS has been releasing information about students—without their permission—for years.

FY15-17:

In an internal FCPS document titled “Hot Topics“, dated December 11, 2017, cover 2015-17, FCPS stated about Silverbrook Elementary School:

“SLP asked all sixth grade speech students to stand to be recognized during the EOY assembly in front of entire school. Proposed resolution to parents and they declined. CAP required training for SES and letter of assurance.”  “Maintain student confidentiality, particularly about sped status. Provided FERPA/confidentiality training to Silverbrook.”

In the same “Hot Topics” document, FCPS stated:

“Confidentiality of student records is a significant concern across the division. FCPS was found out of compliance by VDOE due to a confidentiality breach at Silverbrook ES, and we anticipate a noncompliant finding by VDOE again in the pending state complaint regarding Silverbrook and South County MS.”

Click on image above to view document in full. I redacted names of students before posting.

6.10.16 FERPA Request:

Within its response to a 6.10.16 FERPA request I submitted, FCPS provided me the special education screening committee schedule, which listed two children from West Springfield Elementary school, who aren’t my own.

7.21.16 FERPA Request:

Within its response to a 7.21.16 FERPA request I submitted, FCPS provided me information about two staff members at Silverbrook Elementary School.

2.3.17:

South County Middle School teacher bcc’d her husband on an email that contained confidential student information. 

Virginia Department of Education (VDOE) found FCPS in noncompliance for breach of privacy.

2.28.17:

South County Middle School teacher bcc’d her husband—again—on an email that contained confidential student information. 

VDOE found FCPS in noncompliance for breach of privacy.

6.7.17:

A former Silverbrook Elementary School teacher emailed Principal Melaney Mackin that he “heard through the grape vine that this family has been giving you a bit of trouble”. Melaney Mackin responded to him, indicating that she would speak with him.

The family in question didn’t provide the teacher information, did not provide him permission to talk about their child, and did not give Melaney Mackin permission to talk about the child with an individual who wasn’t even an employee of the school.

(As you scroll through this article, note how many times Silverbrook Elementary School is listed.)

6.8.17 FERPA Request:

Within its response to a 6.8.17 FERPA request I submitted, FCPS provided me information about eight students at Silverbrook Elementary School and two students at unspecified schools.

Click on image above to view document in full. Students’ names were redacted before document was posted.

10.13.17:

I emailed members of FCPS school board, advising them of FCPS’ privacy breaches. Elizabeth Schultz was the only person to respond. She replied:

Thank you for taking the time to email and document your concerns. I understand how frustrating many of these circumstances can be and look forward to getting the appropriate staff involved to review the issues to date and make a determination of the necessary plan going forward.

10.27.17:

After emailing FCPS Superintendent Scott Brabrand, I was forwarded to Chief Academic Officer Francisco Duran. I emailed, asking him to look into the privacy violations.

  • 10.31.17: Francisco Duran responded to my 10.27.17 email:

As you requested, I have looked into your concern about confidential student information disclosures.  Staff within the Department of Special Services are aware of two situations related to your son where there was a breach of confidentiality.  The recent one of student progress monitoring data being shared through your FERPA release is an inadvertent situation where other student names were not redacted. The second situation was the incident of the teacher inadvertently emailing her spouse sensitive scheduling information.  We believe these two incidents to be isolated in nature and not indicative of a systemic problem related to confidentiality.  However, in response to these two events, we will be developing tighter procedures around division wide FERPA practices as well as initiating additional training on the requirement to maintain student confidentiality. 

FCPS takes student confidentiality seriously.  Please know that the South County Middle School staff, including the central staff that provides support, certainly want the best for Max and his success.

That same day, I responded to Francisco, letting him know he’d been misinformed. He didn’t respond.

Click on image above to view full document.

11.8.17:

After not receiving a response to my privacy concerns, I contacted Congresswoman Barbara Comstock, who submitted an inquiry to FCPS on my behalf.

1.16.18 FERPA Request:

Within its response to a 1.16.18 FERPA request I submitted, FCPS provided me information about a student, at an unidentified school, his struggles, and the log-in/password information for a program he was using. They also provided special education screening information for a student at South County Middle School.

1.17.18 FERPA Request:

Within its response to a 1.17.18 FERPA request I submitted, FCPS provided me an unredacted copy of the internal FCPS document titled “Hot Topics Region 4”, which lists the names of other students, their lawyers, medical conditions, money paid, etc. – and in which FCPS admits that it knows it has confidentiality and other issues. The document specifically states:

  • “Confidentiality of student records is a significant concern across the division. FCPS was found out of compliance by VDOE due to a confidentiality breach at Silverbrook ES, and we anticipate a noncompliant finding by VDOE again in the pending state complaint regarding Silverbrook and South County MS.” “Schools need additional training on confidentiality of student information. While best practice is reinforced by IT, Division Counsel, and OSEPS, does not seem to be followed in day-to-day interactions. Additional training will be offered division wide, including at to Silverbrook and South County MS as part of the state complaint processcorrective action. It may make sense to offer training to a wider audience.”
  • “SLP asked all sixth grade speech students to stand to be recognized during the EOY assembly in front of entire school. Proposed resolution to parents and they declined. CAP required training for SES and letter of assurance.”  “Maintain student confidentiality, particularly about sped status. Provided FERPA/confidentiality training to Silverbrook.”

Within the same response to my FERPA request, it provided me medical leave information about a South County Middle School Teacher.

1.29.18:

Superintendent Scott Brabrand responded to my concerns in a letter to Congresswoman Barbara Comstock. This letter actually arrived just days before the “Hot Topics” document listed above. While my FERPA request was dated earlier in the month, FCPS didn’t provide its response until later. In addition, there was a delay between when Congresswoman Comstock’s office received Scott’s letter and when her office sent it to me. Within the letter, Scott stated:

Ms. Oettinger shared her concerns about the Family Education Act (FERPA) violations by several FCPS school-based employees. These issues were addressed with each employee by their supervisors, following FCPS protocol for employee discipline. In addition, staff from the Department of Special Services met with the school team to review the violations and to develop a plan to ensure these violations are not repeated.

It was ironic (and disturbing and frustrating) to receive Scott’s statement about my privacy concerns being addressed, only to receive another violation a few days later, in the form of the internal “Hot Topics” document stating, “Confidentiality of student records is a significant concern across the division.”

Click on image above to view full document.

11.7.18:

I had an in-person meeting with FCPS Superintendent Scott Brabrand, which lasted about an hour and a half.

During our meeting I mentioned, among other things, that at that point I had been provided information on over 30 students and staff via FERPA//FOIA requests, even though I didn’t request such info.

Scott replied, “I don’t know about that.”

I stated again what I had.

He then said that his team advised him it was more like TWO.

At that point, I had sent dozens and dozens of emails to Scott, his staff, and the school board. Scott’s answer confirmed 1) that Scott’s staff was not sharing all info. with him and 2) Scott’s choice was to believe his staff, rather than investigate facts provided by a parent over and over and over.

5.31.19:

A South County High School Teacher forwarded confidential information about my son to Ms. Davis at Fairfax County Federation of Teachers (FCFT).

  • 10.16.19: Assistant Superintendent Jay Pearson emailed me and stated, “I am following up on the concern you raised, both in email and during our phone conversation, that a staff member sent information to an association representative that included personally identifiable information about [redacted]. We reviewed the information forwarded to the association representative, and we agree that it should not have been forwarded.”

VDOE found FCPS in noncompliance for breach of privacy.

6.4.19:

The same South County High School Teacher forwarded confidential information about my son—again—to Ms. Davis at Fairfax County Federation of Teachers (FCFT).

  • 10.16.19: Assistant Superintendent Jay Pearson emailed, “I am following up on the concern you raised, both in email and during our phone conversation, that a staff member sent information to an association representative that included personally identifiable information about [redacted]. We reviewed the information forwarded to the association representative, and we agree that it should not have been forwarded.”

VDOE found FCPS in noncompliance for breach of privacy.  

Click on image above to view document in full.

6.7.19:

The same South County High School Teacher forwarded private information to her private email address.

August 2019

A Silverbrook ES teacher failed to secure private information. Her daughter took a picture of private information and posted it to social media.

  • 8.21.19: Assistant Superintendent Jay Pearson emailed, “I personally visited the school yesterday to address this issue. While there is an explanation as to how [redacted] was shared inappropriately, it is not excusable and not an acceptable manner for [redacted] to be shared. There will be a staff training in September on privacy and confidentiality of student information.”

10.1.19:

South County High School Principal Gary Morris emailed confidential information about a student to Silverbrook Elementary School Principal Melaney Mackin. He didn’t check the email address before sending the email.

VDOE found FCPS in noncompliance for breach of privacy.

10.24.19:

  • 10.24.19, 7:25 PM: South County Principal Gary Morris emailed me, “I am writing to inform you that I was alerted today by a parent who picked up documentation from my office, that within her documentation I mistakenly included a document that had identifiable information of [Student] within it. This was totally my mistake as I somehow picked up a document with [Student’s] information on it and packaged it with the information for the other parent.”
  • 10.24.19, 8:04 PM: A South County High School Parent emailed me to 1) make me aware my son’s privacy had been breached and 2) advise me that she’d already contacted the school about the breach. She had submitted a FERPA request, and in response to her request, South County High School provided her 76 pages of information not related to her daughter, 12 of which were related to my son. “A document” is not quite the same as 12 pages.

VDOE found FCPS in noncompliance for breach of privacy.

11.25.19

Hearing Officer Frank Aschmann denied FCPS’ seven subpoena duces tecums in relation to the Due Process case related to a FCPS student.

FCPS still obtained records and didn’t return them until 12.10.19, even though they were subject of Motion to Quash. FCPS did not make [Parent] aware that it had obtained these records. She was made aware after she did a request for detailed billing sheets from FCPS outside counsel Blankingship & Keith.

4.23.20

An Orange Hunt Elementary School teacher sent a group email to parents of students receiving special education services. In doing so, she violated the privacy of all the students and families, because school divisions are supposed to maintain the privacy of who is receiving special services.

FCPS argued that, because the email addresses—and the email itself—didn’t include specific names, that it did not violate privacy. However, anyone with a PTA directory, classroom phone tree, and so on, would be able to sort out which email belongs to which family, and thus personally identifiable information was released.

Summer 2020:

In the course of a due process hearing, FCPS breached confidentiality, by way of its outside counsel, when it released a health document and 504 plan document listing dozens of students’ personal ID numbers and classes, as well as other documents listing personally identifiable information.

Click on image above to view full document. I redacted students’ names, ID numbers, grade, and classes.
Click on image above to view document in full. I redacted student’s name and ID numbers before posting.

July 20, 2020:

A Due Process Hearing officer requested information about FCPS’ Special Education Administrative System for Targeting and Reporting Success (SEA-STARS) program, “specifically SEA-STARS’ ability to capture and maintain logs of specific data such as login information, record access and changes to student data and FCPS retention of such log records over time.

Among other things, FCPS advised the hearing officer:

SEA-STARS is a secure Commercial off the Shelf (COTS) product that was acquired as a result of a competitive process from Edupoint Systems, Inc. (Edupoint) and utilizes the Synergy Special Education System (SES) platform developed and owned by Edupoint. . . .

The Synergy SES product does include the ability to track login information, record access, and changes to student data in a very detailed way. FCPS tested this functionality more than ten years ago and found that due to the volume of transactions and the associated overhead generated on the SEA-STARS servers, this functionality would seriously degrade the operational performance of the system, largely making the system unusable for authorized users. In addition, this functionality is not required under the Individuals with Disabilities Education Act (IDEA) or the Family Educational Rights and Privacy Act (FERPA). The decision was made that logging would not be enabled in the FCPS SEA-STARS system. There has been no change to this decision over the years, and logging has never been enabled in the FCPS SEA-STARS production environment.

Click on image above to view document in full.

However, you know what is required by the Individuals with Disabilities Education Act?

Sec. 300.614 of IDEA requires a RECORD OF ACCESS:

Each participating agency must keep a record of parties obtaining access to education records collected, maintained, or used under Part B of the Act (except access by parents and authorized employees of the participating agency), including the name of the party, the date access was given, and the purpose for which the party is authorized to use the records.

So, in addition to repeatedly violating the privacy of its students and staff over and over and over again, FCPS isn’t tracking access to sensitive information related to children receiving special education.

*After going through this so many times, I realized that FCPS doesn’t send out notices of breaches—a record of someone having access to their child’s information—until after I or other parents make FCPS aware of the breach.

To date, I’ve been made aware of more breaches—of other parents being provided information about children other than their own.

Am I worried about hackers accessing FCPS’ system?

Yes.

Am I surprised?

No.

If your own team is at fault for repeat confidentiality breaches (in addition to other repeat noncompliance in other areas), it stands to reason there are holes all over your system.

Please join me in asking Superintendent Brabrand to finally address FCPS FULLY securing the private information of its staff and students. You can email him at suptbrabrand@fcps.edu

0 comments on “Worried About Hackers? FCPS has Been Breaching Students’ and Staff’s Privacy for Years

Leave a Reply

Your email address will not be published. Required fields are marked *