"Meaningless": Town Attorneys Release Academic and Medical Records of Students from Unrelated Schools to Litigant
BLOOMFIELD, CT — Attorneys defending the Bloomfield Board of Education against a bullying complaint produced a spreadsheet containing detailed, unredacted records of dozens of students who attended different schools than the child at the center of the case—and were in grades the school doesn't even serve.
The spreadsheet, spanning more than eight pages and produced by the law firm Karsten & Tallberg, LLC during Connecticut Commission on Human Rights and Opportunities (CHRO) proceedings, contained sensitive personally identifiable information (PII) for students in grades 4 through 8.
But the case involves a second-grader who attended an elementary school that serves students only through the 2nd grade.
Student names were redacted on only one to two of the eight pages. All other personally identifiable information—including Student ID Numbers, Dates of Birth, Racial/Ethnic Data, and Special Education Status (IDEA Indicator)—remained visible throughout the document.
When the litigant notified Karsten & Tallberg that they had received this sensitive information about children unrelated to the case, attorney Dennis M. Durao responded that "redactions were overkill based on the confidential nature of the CHRO proceedings" and declined further discussion, calling it a "meaningless and unproductive email exchange."
Records from Different Schools Entirely
The students whose records were disclosed attended schools that serve grades beyond those offered at the elementary school involved in the complaint, according to the spreadsheet's "Enrolled School" field.
While the litigant’s child attended a K-2 elementary school, the spreadsheet provided by Karsten & Tallberg contained records for students in grades 4 through 8, indicating they attended Bloomfield’s middle school or other district facilities.
"These children weren't even in the same building as my son," the litigant told The Dispatch. "They couldn't have witnessed anything. They couldn't have been involved in any way. Why do these lawyers have their special education status and test scores in a case about my second-grader being bullied?"
"Improper Data Dump"
Legal experts reviewing the details of the disclosure raised immediate concerns regarding the relevance of the data produced.
"Producing special education or disciplinary data for 4th–8th grade students from entirely different schools—where the complainant is a 2nd grader—has no apparent nexus to notice, comparators, or institutional response at issue," said Matthew Marks, a partner at the employment and education law firm Ricotta & Marks, P.C.
Marks noted that such a broad release of student data "strongly resembles an improper data dump rather than a narrowly tailored FERPA-compliant disclosure."
Sensitive Protected Categories Exposed
Beyond academic records, the spreadsheet disclosed students' racial and ethnic identities and disability status—information protected under federal civil rights laws.
The spreadsheet's columns included "Ethnicity," "Gender," and "IDEA Indicator"—a reference to the Individuals with Disabilities Education Act, which guarantees special education services to eligible students. IDEA requires strict confidentiality of disability-related information.
The Americans with Disabilities Act (ADA) and Section 504 of the Rehabilitation Act provide additional privacy protections for disability information, treating such data as confidential medical information in many contexts.
"Disclosing the disability status and race of unrelated minors to a non-parent, non-school official without consent potentially violates FERPA, IDEA confidentiality provisions, and Section 504 safeguards," Marks said. "Such disclosures expose districts to OCR complaints, state and federal compliance investigations, and corrective action requirements."
"Redactions Were Overkill"
In an email obtained by The Dispatch, Attorney Durao admitted that "while we strive for perfection, we do not always achieve it." However, he defended the lack of privacy protection, stating, "the redactions were overkill based on the confidential nature of the CHRO proceedings."
Experts disputed this reasoning. "FERPA obligations apply regardless of the forum," Marks said. "Confidentiality does not waive a school district’s federal duty to protect personally identifiable information of students who are not parties or witnesses."
He ended the correspondence by stating, "I do not intend to engage in this meaningless and unproductive email exchange."
Taxpayer Oversight
Bloomfield taxpayers fund Karsten & Tallberg to protect the interests of the school district. The release of sensitive records for students who have no connection to the lawsuit suggests a failure in the firm's discovery review process.
"Dismissing student privacy concerns as 'meaningless' reflects a misunderstanding of the legal framework governing education records," Marks added. "Failure to take FERPA and IDEA confidentiality seriously can itself create liability for the district the attorney is tasked with protecting."
The Dispatch independently verified the litigant's claims by reviewing, during a video conference, physical pages of the spreadsheet that show column headers including "Student Name," "Student ID," "Date of Birth," "Ethnicity," "Gender," "IDEA Indicator" (special education status), "Test Score," and "Enrolled School," with visible data in rows beneath those headers. The review confirmed that student names were redacted on only one to two of the eight pages, while all other personally identifiable information remained visible throughout.
We reached out to Bloomfield Schools Superintendent Dr. Tracy A. Youngberg and Karsten & Tallberg Managing Partner James N. Tallberg for comment regarding their protocols for student data privacy. As of 5:00 PM Friday, they have not responded to our inquiries.
This is a developing story.
Update: Full Legal Analysis
Editor's Note: Due to the sensitive nature of the data involved—specifically the exposure of Special Education status and medical records of minors—and the Town Attorney's dismissal of these concerns as "meaningless," The Dispatch is publishing the complete legal analysis provided by Matthew Marks, Partner at Ricotta & Marks, P.C. This statement outlines the specific federal liabilities faced by the district.
"In education law, discovery involving student records is tightly constrained because those records are presumptively protected under FERPA. Producing special education or disciplinary data for 4th–8th grade students from entirely different schools—where the complainant is a 2nd grader—has no apparent nexus to notice, comparators, or institutional response at issue. This type of production is inconsistent with standard education-law practice and strongly resembles an improper data dump rather than a narrowly tailored FERPA-compliant disclosure."
"FERPA obligations apply regardless of the forum. While CHRO proceedings may be confidential as to the parties, that confidentiality does not waive a school district’s federal duty to protect personally identifiable information of students who are not parties or witnesses. Under FERPA, disclosure of education records without parental consent must be narrowly limited, redacted, and justified by a specific exception—none of which is satisfied merely because the case is pending before CHRO."
"Education law treats IDEA eligibility and special education status as highly sensitive protected information. Disclosing the disability status and race of unrelated minors to a non-parent, non-school official without consent potentially violates FERPA, IDEA confidentiality provisions, and Section 504 safeguards. Such disclosures expose districts to OCR complaints, state and federal compliance investigations, and corrective action requirements, particularly where the disclosure was unnecessary and avoidable."
"School district counsel operate in a heightened ethical environment because they routinely handle protected student data. Dismissing student privacy concerns as 'meaningless' reflects a misunderstanding of the legal framework governing education records and risks undermining the district’s compliance obligations. In the education law context, failure to take FERPA and IDEA confidentiality seriously can itself create liability for the district the attorney is tasked with protecting."
How do we come to learn the role of the Shared Services IT director in this data dump and whether he is truly competent in this role or made an epic mistake because of he is not the right person for the job and was hired due to nepotism?
ReplyDeleteThat is an excellent question. You are referring to the "chain of custody" regarding the student data involved in this breach. In short, the role of the IT department is highly restricted in these scenarios.
DeleteIn standard legal discovery, IT is typically only responsible for running a database query and extracting the raw files requested by the lawyers. It is the strict ethical and legal obligation of the attorneys representing the District to review, filter, and redact that raw data before handing it over to an outside party (e.g., an opposing litigant).
Given that Attorney Durao (of Karsten & Tallberg, LLC) explicitly stated in his email that he felt redactions were "overkill" because the CHRO proceeding was confidential, the evidence currently points to a deliberate decision at the legal review stage rather than a technical mistake by IT. Furthermore, as our legal expert pointed out, federal protections on student data like FERPA supersede those state-level confidentiality rules, placing much stricter requirements on data protection.
That being said, The Dispatch is continuing its investigation into the exact chain of custody of this spreadsheet to determine exactly who authorized the initial pull of this data. Thank you for reading and for raising this important question.