Confidential information about Chicago Public Schools students — including medical conditions and dates of birth — was kept on unsecured web documents that anyone could call up despite laws and CPS rules that are supposed to safeguard children’s privacy.
Some of the personal, identifiable information involved requests for certain ongoing nursing services for students that are handled through a private CPS contractor, RCM Health Care Services.
The services included such things as making sure students got doses of medications they regularly take, doing blood-sugar tests on diabetic children and maintaining breathing and feeding tubes.
The shared spreadsheet containing the information was viewable online until recently.
The breach also included special education students’ names, identification numbers and other information that’s supposed to be kept confidential but was viewable in payment records that were posted on CPS’ website. That included the type of special education services being provided, which covered a wide range, including speech therapy.
The payment records including the special education student data were taken down Friday after a Chicago Sun-Times reporter asked CPS officials about the apparent privacy breach.
That was two days after Forrest Claypool, the city schools chief executive officer, assured school board members discussing the privacy of students’ citizenship status on Wednesday that, “when it comes to keeping children safe and protecting their privacy, we will take a fierce stand.”
But the records, which date as far back as 2013, showed about 1,600 instances in the 2015-2016 school year alone in which students’ names appeared along with the special education services provided for them.
In the four-year, $30 million contract RCM signed with CPS in the summer of 2015, the private nursing services contractor agreed to abide by laws regarding medical records and student privacy as well as CPS’ policy.
RCM also told school officials it would use its own software to schedule nurses to see students and to provide details to the nurses of the students’ medical needs. Since July 2016, though, RCM and CPS staffers entered that data into a spreadsheet shared via Google Drive that had no password protection or encryption, meaning it could be seen by anyone with the link. The online spreadsheet only recently began requiring a login.
“I can’t speak to the Google document because that’s not RCM’s,” said Andrew Hay, the company’s liaison to CPS. “That’s not anything that belongs to RCM.”
RCM has faced criticism from some parents of children who need nursing services during school hours and from CPS nurses, who are members of the Chicago Teachers Union and have complained to the Chicago Board of Education about slow response times and nurses being dispatched who can’t or won’t perform needed medical services.
CPS spokesman Michael Passman said the health information wasn’t publicly searchable, that finding it was possible only if someone from CPS or RCM improperly provided the link and that a login requirement has now been added.
Regarding the special ed. information, Passman said: “The student data in question was inadvertently posted as part of a data set designed to increase transparency into district spending. And we have begun the process of initiating new data security measures to help prevent a similar incident from occurring in the future. As soon as we became aware of the inadvertent disclosure, we immediately removed the sensitive information from our website.”
He also said affected families will be notified by CPS.
The special education spreadsheets that had the students’ personal information included spending records for speech therapists, reading and math help and other services paid for by federal money allocated under the federal Individuals with Disabilities Education Act, known as IDEA.
Legal experts on student privacy said it appears that, by not keeping the information private, CPS broke federal and state privacy laws.
“It does violate the law,” said Amelia Vance, an attorney with the Future of Privacy Forum, a Washington, D.C., advocacy group.
Vance noted that the federal Family Educational Rights and Privacy Act, known as FERPA, protects all but the most basic student data.
Also, Vance said, “IDEA specifically protects basically all the information about the students’ interventions and tutoring in the spreadsheet and states that, throughout the entire process, the school has to protect the confidentiality of the students. You also have this Illinois law, which doubles down on FERPA and says, ‘Don’t do that.’ ”
There are specific privacy protections in the law, she said, “for the same reason that parents worry about this type of information getting out: the concern that particularly sensitive information about students — whether health information, special education information, disciplinary information — could be used to discriminate against their child.”
Frank LoMonte, a lawyer who is executive director of the Student Press Law Center in Washington, said FERPA requires that “all educational institutions have to observe a policy and practice of safeguarding student education records. Identifiable info about medical treatment and special education treatment is the kind of information FERPA intended to keep private.”