Information about several thousand current and former Jefferson City Public Schools students was inappropriately transferred by an employee to a personal email account, the school district said Wednesday.
JCPS officials said they will be notifying parents and guardians of current and former students whose personal information was included in the data.
JCPS Director of Communications Ryan Burns said the district was alerted in February by a day or two of unusual activity that an employee with authorized access to district files containing student information was transferring data - including a combination of one or more of students' names, addresses, medical information and/or Missouri Student Identification System numbers - to a personal Gmail account.
A news release Wednesday from JCPS called that action of the employee "a violation of JCPS policy relating to the unauthorized transfer of student information."
Burns said the district does not know why the employee was copying the student files, but the district immediately took action by terminating the employee's ability to connect to the district's network and by placing the employee on administrative leave.
"While JCPS has no evidence of identity theft occurring as a result of this incident, JCPS encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud by reviewing their accounts, explanations of benefits and credit reports for suspicious activity, and to report any suspicious activity to the affiliated institutions immediately," according to the district's news release.
Burns said the district is giving more than 3,500 individual notices - starting this week by mail if possible - and "(It) looks like a vast majority of impacted records were from 2015 and on, so anyone who graduated before then should be clear."
"There's no specificity to the grades (affected)," she said, but added "it is definitely not in any degree all previous JCPS students" who have been affected.
She said JCPS is confident it's identified all people affected by the privacy incident.
The investigation that JCPS "immediately launched" following the administrative actions taken against the employee was supported with computer forensics investigators, according to the district's news release.
Burns said the computer forensics investigators work with a third-party data security legal firm the district was connected with through its cybersecurity insurance coverage.
"We have reported the incident to law enforcement," she said.
She added an investigation is ongoing - "in conjunction with the other regulators, law enforcement and continuing with the forensics investigators, we're still in the process of finalizing that investigation."
Burns said the district worked with the computer forensics investigators to determine the list of students impacted by the unauthorized transfer of data, "and we were very careful with that process" to be diligent and thorough.
She said the district has been in touch with the employee "multiple times" to request the copied electronic files be returned, "and they have not agreed to return those files to us yet."
Burns said the district has gotten calls from parents who have questioned why the employee still works for the district.
"We have taken every step that's available to us within employment law to limit their access and to put them on leave, and then as the investigation continues, we'll be able to make a determination as to the next steps," Burns said.
She emphasized "all of our systems are incredibly secure and safe."
"It's not that our system was compromised in any way (such as by an external hacker). Student data that we capture within our systems is completely protected and has never been at risk, was never compromised with this. This is a by-product of the Google sharing platform that our employees use, and it was an employee that had legitimate access to these documents through their role with the district, that copied them to a personal account," she said.
She added the privacy incident was the result of "the actions of a rogue employee that unfortunately couldn't be controlled."
The district's news release added additional information can be found at jcschools.us, or by calling 866-775-4209, from 8 a.m.-5:30 p.m. Monday through Friday.