Phishing scam exposes personal, medical information at central California school districts

Phishing emails to employees at several school districts in Monterey County, California, have exposed Social Security numbers and medical records.
California coastline
California coastline not far from Carmel-by-the-Sea, California (Getty Images)

A phishing scam targeting Carmel Unified School District in Monterey County, California, exposed documents containing sensitive employee information, the district announced last week.

Hackers obtained login credentials to several employee email accounts, according to CUSD, one of which stored employee Social Security numbers, their spouses’ and dependents’ Social security numbers, employee marriage certificates, employee dependents’ birth certificates and doctor’s notes, some containing medical information.

Initial phishing emails were sent in early January at which time administrators became aware that district records had potentially been exposed and notified employees of the breach, said Paul Behan, CUSD’s chief technology officer.

“It was a lengthy and thorough process to go through all the records to see who was potentially affected and exactly which information may have been involved,” he told EdScoop in an email. Notices with additional information were sent in March to affected employees.


The District says it has no way to determine whether any particular information within the account was accessed, but has recommended that employees enable two‐step authentication for their Gmail accounts and change passwords of other district accounts.

As required by California Data Breach Notification Law, CUSD is also offering employees one year of identity theft protection and credit monitoring services at no charge.

Jessica Hull, a spokesperson for Monterey County Office of Education, which serves CUSD, told EdScoop that the phishing email was not isolated to the one district.

“This was a widespread attack,” Hull said. “Emails were received by the County Office of Education and several districts within the county.” However, she said that no other county school districts have reported data breaches.

According to Hull, the phishing email contained a link to a fake login screen that stole unsuspecting user’s login credentials once entered, giving the hacker access to those accounts.


CUSD said it is working closely with the Monterey County Office of Education to improve data security and has begun an audit of its practices of document transfer, email storage, and encryption.

Computer security training is also being closely looked into, the district said.

“We are also actively educating our users to prevent them from falling victim to phishing and continue to improve our security through implementing recommendations from the Multi-State Information Sharing and Analysis Center,” said Hull.

Editor’s note: This story was updated on March 20, 2019 to clarify that the district contacted its employees immediately after the breach was discovered.

Betsy Foresman

Written by Betsy Foresman

Betsy Foresman was an education reporter for EdScoop from 2018 through early 2021, where she wrote about the virtues and challenges of innovative technology solutions used in higher education and K-12 spaces. Foresman also covered local government IT for StateScoop, on occasion. Foresman graduated from Texas Christian University in 2018 — go Frogs! — with a BA in journalism and psychology. During her senior year, she worked as an intern at the Center for Strategic and International Studies in Washington, D.C., and moved back to the capital after completing her degree because, like Shrek, she feels most at home in the swamp. Foresman previously worked at Scoop News Group as an editorial fellow.

Latest Podcasts