Here is my email to Education Commissioner Edelblut and Legislators on the PowerSchool Data Breach:
Commissioner Edelblut,
PowerSchool, owned by Bain Capital, experienced an international cybersecurity incident that involved unauthorized access to certain PowerSchool SIS customer data. This has impacted many school divisions across North America. PowerSchool is a 5.6 billion dollar company that lost personal information on students and their parents because of an international cyber attack.
The compromised data includes names, phone, email, physical addresses, and medical information. This has impacted 60 million students.
Our public schools are engaging in far more medical and mental health treatment than ever before. We see that when they are hiring additional mental health staff, purchasing SEL programs, and when they partner with medical facilities, like Amoskeag Health. Cyber attacks remind us all about the vulnerability of our children’s grades, but now, this means that their medical and mental health data are at risk, too.
To make matters worse, we know that PowerSchool is in court and charged with selling student data. Some of this could be legal due to the statutory changes to the FERPA law several years ago. But PowerSchool also tells users it may collect “student behavior data,” “physical and mental disabilities, “ and “Student social-emotional learning indicators and inputs.“
I would suggest that everyone read the actual lawsuit against PowerSchool
Prior to the change to the FERPA law, parents were the gatekeepers of their child’s personal information. Without their approval, this kind of information could not be shared with a “for-profit” technology company. Federal officials paved the way so Ed Tech companies could mine data legally. But where does the PII go from there? Let’s face it: no one working in our schools or in government has any idea.
Data is gold now, and we hand over personal information to EdTech companies that are completely faceless and whose priority is to increase their profits. It is up to the rest of us to limit or prohibit their access.
New Hampshire school administrators have been accepting federal grant money to change the focus of public education to include the CDC “Community School Model.” Some schools are moving right along with social and emotional learning and hiring additional school counselors, social workers, and school psychologists. Manchester is all in on turning their school into a medical and mental health facility. I read Manchester’s MOU with Amoskeag, and I found big problems with it. A district that struggles to teach kids to read will now become a medical and mental health facility too. What could possibly go wrong? In Maine, a school’s SBHC gave Zoloft to a student without parental consent or knowledge. Zoloft can cause suicidal thoughts.
We know Keene State / BHII worked their way into gathering mental health PII on students so they could report to the federal government on MTSS-B. They did this without the knowledge or consent of students or parents. I didn’t see any school administrators batting an eye when that happened in their schools.
PowerSchool was taken to court over selling personal data, which they argue they can legally do. We will learn more when that lawsuit is settled. I’m not seeing any school administrators concerned enough about that lawsuit to notify parents. It doesn’t matter if it’s legal or not; PowerSchool has the capacity to share PII due to the FERPA loophole, and the evidence the plaintiffs are presenting in court is shocking. It’s one thing when they collect math scores, it’s quite different when it’s mental health and medical data.
Maybe PowerSchool will get a smackdown by the judge for some of this, but the money they make off of data may be worth a legal challenge or a judge’s ruling.
This is a big issue, and it’s an important issue. Personally, I would have removed my children from a New Hampshire public school when school administrators grabbed the mental health money from the SAMHSA and Project Aware Grants. Data privacy advocates warned that this was coming a long time ago.
The Executive Director of the National Association of Social Workers didn’t know that federal law (ESSA) prohibits Social Workers in our schools from providing services or assessing a child on their mental health without parental consent. School Counselors are pressured to hand over PII to data analysts to meet requirements set by the federal government in the MTSS-B grant. Who is unaware of all of this? Parents and families across the state.
Someone needs to take this seriously. I know you and Representative Cordelli have both worked on this in the past, and I thank you for that, but we are not doing enough. Superintendents do not want to go through a tedious process of gathering consent from parents, but something needs to be done. If these vendors showed up in their office asking for personal information on students, they’d be turned away. But since they are selling a product, personal student data is suddenly up for grabs.
While we are scrambling over a data breach, Swedish schools are going in the opposite direction. They are leaving the technology behind and going back to textbooks. In 2009, Sweden Replaced Books with Computers—15 Years Later, It’s Investing €104 Million to Reverse the Decision. This shift in our schools to 1:1 devices was about profits for Ed Technology companies. This was never to help children academically. If anything, it contributes to a decline in their mental health.
Parents need to know precisely what has been compromised so they can decide how to proceed. All of you, Legislators, Governor, Superintendents, and Data Security Specialists need to figure this out. This is not just about a data breach; it is about the daily mining of personal data on students in New Hampshire schools.
Sincerely,
Ann Marie Banfield
North Hampton, NH
