Pictured above is a copy of the letter which was issued to employees
Santa Rosa County District Schools on July 25, 2022 issued a letter to multiple employees, stating the district had “discovered” personal employee information had been left exposed on spreadsheets on a district website for more than 16 months. At this time it is unknown how many employees and employee dependents were impacted by what the district is referring to as an “incident.”
The data on the spreadsheets contained Social Security numbers, birthdates and first & last names plus health insurance and other information.
Per the letter, SRCDS one month earlier, on June 25, 2022, “discovered that an Excel spreadsheet that contained employee health information had been inadvertently posted” on the district’s purchasing website and was also submitted to a third-party vendor’s website as part of a Risk Management bid process.
Upon further investigation, the district determined two Excel spreadsheets containing employees’ personal data had been posted in an “unauthorized manner.”
After discovering the incident, the district says it commenced an investigation and worked with external cybersecurity professionals to mitigate data exposure, including ensuring the files were deleted from the district’s website. “Additionally, we notified third-party vendors who may have accessed the information to confirm destruction of the information, to the best of our ability,” stated the letter.
“We believe your personal information was involved in this incident, so we wanted to notify you of the incident and provide you with informaiton on steps you can take to help protect your information,” stated Superintendent Karen Barber in the letter. “We have no evidence that any of the information has been misused. Nevertheless, out of an abundance of caution, we want to make you aware of the incident.”
The letter, which was mailed from a West Sacremento, California post office box but signed by Barber, stated the district believes in transparency and had issued the letter as a “precautionary measure.”
A second page of the letter offered free credit reporting for one year via IDX.
Some employees who received the letter said their dependents also received letters and that they were offered credit monitoring for a year.
“We deeply regret and apologize that this disclosure of your data occurred,” stated Barber, who said the incident was a “direct violation of protocols and policies in place.”
Barber went on to add that employees had been re-trained on the systems in place to protect employees’ personal information.
Current, retired and former employees and family members may call 1-833-909-4424, a confidential, toll-free response line dedicated to answering questions about the personal information disclosure. The response line is available 9 a.m. – 9 p.m. EDT, Monday through Friday.