SETTLEMENT UPDATE (December 2025): This class action lawsuit has been settled. If you received a data breach notification from Sweetwater Union High School District regarding the February 2023 incident, you may be eligible to file a claim for settlement benefits. All information about the settlement, claim forms, deadlines, and eligibility requirements can be found at the official settlement website: www.swusddatasettlement.com
If you are a current or former employee or student, or their spouse, dependent, or family member, associated with Sweetwater Union High School District (SUHSD), you might have received one or more letters notifying you that your personal information may have been stolen in a cyberattack that occurred in February 2023.
SUHSD waited until late June and early July 2023 to notify current and former employees and students of the data breach. Despite having four months to investigate the breach and determine precisely what data was stolen, the District’s notice was vague on the details of the breach, only noting that “some personal information of current and former employees, dependents, students, families and others who provided information to the District was included in the potentially taken files.” In addition, some of the data breach notices were mailed to the wrong address or addressee. The District sent a second set of notices allegedly correcting this error and asking that the original misdirected notices be returned or destroyed.
Sweetwater Union High School District Data Breach
According to SUHSD, around February 12, 2023, there was an “unauthorized access” to its computer systems. Following this breach, the District started an investigation.
In April 2023, the District contracted the services of Logicalis, a United Kingdom-based IT company, to install two-factor authentication access to the District’s computer systems. SUHSD’s implementation of two-factor authentication after this data breach, particularly when there had been an earlier breach in September 2022 of the same systems, raises questions about whether the District had sufficient cybersecurity measures in place before the recent breach.
SUHSD’s investigation determined “some personal information” of the District’s current and former employees and students, as well as their spouses, dependents, and other family members, was stolen during this breach. The District did not provide details on what data was accessed or taken. Depending on how the District maintained its systems, the data could also include medical information such as workers’ compensation, disability or health benefit claims, direct deposit, or other financial information for employees.
Student Social Security numbers are particularly attractive to cyber-criminals because parents seldom check their children’s credit reports. Unfortunately, thieves know that an SSN stolen from a minor may be used for years to establish a false identity without being discovered. In addition, school districts may have student files with sensitive medical and psychological information about students. Schools regularly collect and process this sensitive information for students with IEPs or 504 plans and for those who have submitted medical forms to participate on school sports teams.
The complaint alleges this cyberattack against the District was foreseeable. There were prior warnings based on similar cyberattacks on several Southern California school districts before the SUHSD incident. Cyberattacks on school districts, universities, and municipal governments have become commonplace, as such entities typically store significant personal information and rarely segregate or delete old data.
SUHSD’s Data Breach Response
Under California law, school districts like SUHSD that maintain personal, financial, and medical information must take reasonable care in securing this data from cyberattacks. And once personal, financial, or medical information is stolen in a cyberattack, SUHSD must provide timely notice to potentially affected individuals of the breach and details on the type and extent of personal information stolen. The purpose of this notice requirement is so that affected individuals can try to minimize the harm the breach caused or will cause.
SUHSD waited until after the school year ended in late June and early July 2023, over four months after it had learned of the breach, before sending notice of the data breach to potentially affected individuals. SUHSD compounded the harm from the delayed notice by providing very few details about the breach and the type and extent of personal information stolen.
Protecting Yourself After a Data Breach
Following notification of a breach, these steps can help protect you:
Regularly review your credit reports from Equifax, Experian, and TransUnion. You can access free reports at www.annualcreditreport.com (official site). Report any unrecognized accounts or inquiries.
Place a fraud alert on your credit files for free via one of the credit bureaus. This requires creditors to verify your identity before changing your accounts or opening new ones.
Freeze your credit. Setting a freeze prevents unauthorized access to your credit reports, blocking identity thieves from creating new accounts. This can be done for free with each bureau and is easily unfrozen when you need it.
Monitor your bank transactions for unusual activity. Immediately report any suspicious or unauthorized transactions to your bank. Consider updating your banking passwords and PINs.
Avoid phishing emails and calls asking for personal or financial details. If unsure of the legitimacy of a request, contact the sender using verified contact information.
Settlement of the Class Action Lawsuit
On July 9, 2023, a class action lawsuit was filed against SUHSD in San Diego Superior Court alleging the District negligently or recklessly failed to adequately secure the private, personal, financial, and medical information of affected individuals and failed to take steps necessary to prevent such an attack.
The case has since been settled. Under the settlement agreement, eligible class members who submit a claim form may receive:
- One year of free credit monitoring services
- Reimbursement for actual documented, unreimbursed out-of-pocket expenses up to $5,000 traceable to the data breach
- Compensation of up to $100 for time spent dealing with fraud or identity theft related to the incident
- Compensation for incidents of verified fraud of up to $5,000, with supporting documentation
All questions about settlement eligibility, claim forms, deadlines, and benefits should be directed to the official settlement website at www.swusddatasettlement.com.