Parents expose breach of CPS data on special needs students

One of the most likely results of the privatization of key administrative work in any organization is that there will be leaks and further leaks available to anyone who wants to hack into the organization's "big data" sets. Despite all the claims that saving taxpayer dollars is the main job of public officials, there are actually many jobs that have to be done by well supervised public servants. And whenever a privatization scheme is promoted that takes away supervisory power from those in charge of the system, certain problems are inevitable, whether the system is prisons or public schools. And so we have the latest expose of leakiness in Chicago Public Schools "Big Data."



The following post is by Cassie Creswell, a Chicago parent activist from Raise Your Hand Illinois and a key member of our Parent Coalition for Student Privacy. In January, Cassie also testified on our behalf at the Chicago hearings of the Commission for Evidence-Based Policy against overturning the ban to enable the federal government to create a comprehensive student database of personally identifiable information.

More recently, upon examining expenditure files on the Chicago Public School website, Cassie discovered the names of hundreds of students along with the disability services they received at numerous private and parochial schools. She immediately contacted several reporters, and though an article in the Sun-Times subsequently briefly reported on this breach, the reporter did not mention that it was primarily private and parochial students whose data was exposed. In addition, legal claims for special education services that CPS had originally rejected were included along with student names. Cassie’s fuller explanation of this troubling violation of student privacy is below — as well as the fact that at least some of these schools and families have still not been alerted to the breach by CPS.

Once again, Chicago Public Schools has improperly shared sensitive student data, the Chicago Sun-Times reported on February 25th.

Medical data about students used to administer outsourced nursing services was stored on an unsecured Google doc available to anyone with the link. And personally-identifiable information (PII) about students with Individualized Education Programs (IEPs), including their name, student identification numbers and information about services and diagnoses related to their disabilities, were included in files of detailed vendor payments posted on the district’s public website.

I discovered this latter information in the vendor payment data, while in the course of searching for information about standardized testing expenditures. The files covered seven fiscal years, 2011-2016, but were only posted on the CPS website this past summer. Noticing what appeared to be a student name and ID number listed in the file struck me as surprising and likely a privacy violation. All in all, there were more than 4500 instances in the files where students’ names appeared along with the special education services they received.

Upon closer examination, it was clear to me that there was a great deal of highly sensitive student personal information that had been disclosed, with payments made from CPS to educational service providers assigned to hundreds of students with special needs attending private schools as well as public schools. Included were the name of the students, the schools in which they were enrolled, their ID numbers, the vendors who had been hired and the services they provided according to the students’ diagnoses. The funds for the payments came from public funds routed through the students’ home districts, CPS, to fulfill requirements of the federal Individuals with Disabilities Education Act (IDEA) for spending on special education students enrolled in private schools.

This breach has since been confirmed as violating federal and state privacy laws — at least in the case of the public school students whose personal information was disclosed and likely the private school students as well.

The records include descriptions of services along with the students’ names and schools that would clearly be considered highly confidential. Some descriptions related to academic services (e.g. “Direct Instruction – Reading, Writing and Math”) or speech and language therapy; others were even more sensitive, for example:

“direct therapeutic activities to address sensory processing and regulation emotional regulation [sic] fine motor”

“direct session once a week focusing on anxiety mood and social skills”

“direct services to develop strategies to work through anxiety other issues that interfere with her learning”

“Instruction by School Psychologist according to Special Education Service Plan”

In addition, the names and student id numbers of homeless CPS students were included in some of the earlier vendor payment files because of payments related to fee waivers.

The list of the 50 private and parochial schools and three school consortia whose student information was breached is below.

Or you can can click here to see a list of these schools with the number of instances for each one.

The vendor payment files also included instances of payments made to cover services mandated as the result of a due process hearing settlements. (Such a hearing is held when parents request a state-level resolution of a dispute over services for students with disabilities.) These included student names, case number and description of services (e.g. “[name redacted] – ISBE CASE NO. 20XX-00XX per order the district shall fund psychological evaluation services rendered [dates redacted]”)

Although the Sun-Times article quotes CPS officials saying that “affected families will be notified by CPS, ” I reached out to some of the schools, and they had not yet received notification as of Friday, March 3rd.

These are not the first student data breaches CPS has had this year. This past fall, a CPS employee was fired for unauthorized sharing of personal information of more than 28,000 students with a charter management organization, which then used the data for marketing.

Prior breaches (as documented here) in the last decade include:

May 2015: 4000 students had their names, addresses, phone numbers, disability status and other personal information inadvertently shared with vendors responding to a district RFP for transportation management software.

December 2013: Data from 2000 students who participated in a free vision examination program was viewable on the City of Chicago website for several months.

May 2009: Files containing student records including photos, test scores, social security numbers and the results of psychological tests were found in an alley dumpster.With more and more use of information technology in and out of the classroom, there’s been a rapid increase in the amount of data tied to individual students that is collected and stored by the district and third-party organizations.

Dozens of software and hardware vendors have products in use in the Chicago Public Schools. Payments to vendors of ed tech software alone have totaled at least $80 million in the last five years. The data generated by ed tech software is almost always tied to a student’s personally identifiable information.

Regardless of the significance of the information shared about any individual student in this breach, the apparent negligence with which the district has treated confidential student data in these most recent breaches brings up significant questions: What care is being taken to protect student privacy and comply with federal and state privacy laws? Who is looking out for our kids to ensure that these violations don’t recur repeatedly?

Parents and students should be justifiably concerned about how secure student data is. Taxpayers should be concerned about what legal liability the district is opening itself up to in an era of big data.


Add your own comment (all fields are necessary)

Substance readers:

You must give your first name and last name under "Name" when you post a comment at We are not operating a blog and do not allow anonymous or pseudonymous comments. Our readers deserve to know who is commenting, just as they deserve to know the source of our news reports and analysis.

Please respect this, and also provide us with an accurate e-mail address.

Thank you,

The Editors of Substance

Your Name

Your Email

What's your comment about?

Your Comment

Please answer this to prove you're not a robot:

5 + 4 =