1. News
  2. /
  3. The Education Gradebook

Glitch leads to leak of more than 170 Hillsborough students’ personal data

Dozens of parents who applied for their child to attend the district's virtual school received slew of emails with links to other students' application forms.
Hillsborough Virtual School offers full-time enrollment and is a school choice option.
Hillsborough Virtual School offers full-time enrollment and is a school choice option. [ Twitter ]
Published Jul. 31, 2020
Updated Jul. 31, 2020

TAMPA — A coding error resulted in the leak of personal data of 173 Hillsborough County students who have applied to the district’s virtual school, officials acknowledged Friday.

Parents who have applied to enroll their children in Hillsborough Virtual K-12 school were supposed to receive a single email confirming their child’s application. But along with that, their inboxes were deluged with emails for dozens of other students. Each message had the name of a different student and included a link to that child’s application.

The leak has alarmed parents who saw that their own child’s application was among those sent to dozens of other email addresses. It has led to calls for the district to pay for identity theft protection for affected students.

Davis Islands resident Tom Wagner said he received an email acknowledging his son’s application to the virtual school at about 4:15 p.m. Thursday. One minute later, his inbox was deluged with similar emails for other students.

The emails allowed him to click on a link and view any of the students’ applications. It was not until an hour later that the links were disabled.

“My biggest concern would be that personal information of our son was at least momentarily available for anyone to get,” Wagner said. “If that’s the case, I want to make sure he has some form of identity protection in place so his information and our information remains secure.

School district spokeswoman Tanya Arja said the glitch was a human coding error made by an outside contractor.

“We take this incident very seriously,” Arja said. “As soon as we were notified of the inadvertent disclosure, we disabled the link.

Tanya Arja, Chief of Communications for the Hillsborough County Public Schools
Tanya Arja, Chief of Communications for the Hillsborough County Public Schools [ HILLSBOROUGH COUNTY PUBLIC SCHOOLS | Handout ]

Arja said the glitch exposed only limited information, including student names, birthdays and parent contact information. It did not include Social Security numbers and home addresses, she said.

The district plans to contact the families affected to explain what information was mistakenly sent and has agreed to pay for the cost of identity management monitoring for the 173 students, Arja said.

The glitch comes as the district’s virtual school is enrolling thousands of students whose parents are wary of sending their child to a bricks-and-mortar school during the pandemic.

As of July 23, 10,732 students had either registered for Hillsborough Virtual K-12, or indicated they would do so, according to the “declaration of intent” forms.

That’s up from slightly more than 300 students last year. The school is run by Matthew Hoff, the school district’s director of virtual instruction programs. Hoff is new to that role, and his last job was principal of Cannella Elementary School.

Follow what’s happening in Tampa Bay schools

Follow what’s happening in Tampa Bay schools

Subscribe to our free Gradebook newsletter

We’ll break down the local and state education developments you need to know every Thursday.

You’re all signed up!

Want more of our free, weekly newsletters in your inbox? Let’s get started.

Explore all your options
Related: Florida school districts beef up virtual programs to keep students

Lithia mother Trudy Stinson was one of the parents whose child’s information was sent to others. She enrolled her son in the virtual school because she thinks it’s the safest option for the new school year.

“This is very unprofessional, not to mention scary for my child and all the others in this world today,” she said. “My child’s personal information is out there for who knows how many people to get. I am not happy.”

Tampa mom L Thompson said she included health information about her daughter in a free-form field in her application. She said the district has violated the Family Educational Rights and Privacy Act, which states that student information cannot be shared without parental consent.

Even without a Social Security number, the personal details released by the district are sufficient to create a risk of identity theft, said Thompson, who has worked in student data management for two universities.

“There’s literally nothing the School Board can do to retrieve my daughter’s data from 60 plus strangers,” she said.

Times staff writer Marlene Sokol contributed to this report.