A parent in Chicago discovered a massive breach of private data about students in private schools receiving special education services. The data was controlled by Chicago Public Schools, but obviously with little regard for privacy. The parent was a student Privacy activist, Cassie Creswell.

The following post is by Cassie Creswell, a Chicago parent activist from Raise Your Hand Illinois and a key member of our Parent Coalition for Student Privacy. In January, Cassie also testified on our behalf at the Chicago hearings of the Commission for Evidence-Based Policy against overturning the ban to enable the federal government to create a comprehensive student database of personally identifiable information.

More recently, upon examining expenditure files on the Chicago Public School website, Cassie discovered the names of hundreds of students along with the disability services they received at numerous private and parochial schools. She immediately contacted several reporters, and though an article in the Sun-Times subsequently briefly reported on this breach, the reporter did not mention that it was primarily private and parochial students whose data was exposed. In addition, legal claims for special education services that CPS had originally rejected were included along with student names. Cassie’s fuller explanation of this troubling violation of student privacy is below — as well as the fact that at least some of these schools and families have still not been alerted to the breach by CPS.

Cassie writes:

Once again, Chicago Public Schools has improperly shared sensitive student data, the Chicago Sun-Times reported on February 25th.

Medical data about students used to administer outsourced nursing services was stored on an unsecured Google doc available to anyone with the link. And personally-identifiable information (PII) about students with Individualized Education Programs (IEPs), including their name, student identification numbers and information about services and diagnoses related to their disabilities, were included in files of detailed vendor payments posted on the district’s public website.

I discovered this latter information in the vendor payment data, while in the course of searching for information about standardized testing expenditures. The files covered seven fiscal years, 2011-2016, but were only posted on the CPS website this past summer. Noticing what appeared to be a student name and ID number listed in the file struck me as surprising and likely a privacy violation. All in all, there were more than 4500 instances in the files where students’ names appeared along with the special education services they received.

Upon closer examination, it was clear to me that there was a great deal of highly sensitive student personal information that had been disclosed, with payments made from CPS to educational service providers assigned to hundreds of students with special needs attending private schools as well as public schools. Included were the name of the students, the schools in which they were enrolled, their ID numbers, the vendors who had been hired and the services they provided according to the students’ diagnoses. The funds for the payments came from public funds routed through the students’ home districts, CPS, to fulfill requirements of the federal Individuals with Disabilities Education Act (IDEA) for spending on special education students enrolled in private schools.

This breach has since been confirmed as violating federal and state privacy laws — at least in the case of the public school students whose personal information was disclosed and likely the private school students as well.