Cyber Incident Victim: Bernards Township School District

On April 6, 2021, Bernards Township School District in New Jersey detected potential unauthorized access to its computer network. The district initiated an investigation into the incident but did not immediately disclose the breach publicly. Over ten months later, on February 11, 2022, the district concluded an extensive manual document review of compromised files and folders. This review determined that attackers had accessed sensitive personal information including names, dates of birth, Social Security numbers, driver’s license and state identification numbers, financial account details, health insurance information, medical records, student record information, and online account credentials. The district mailed breach notification letters to affected individuals on April 6, 2022—exactly one year after initial detection—without publicly explaining the reason for the notification delay.

The compromised data spanned multiple categories of sensitive information with potential regulatory implications. Student record information fell under FERPA protections, while health insurance and medical data potentially implicated HIPAA regulations depending on whether the district administered employee health plans. The breach exposed individuals to risks of identity theft, financial fraud, and medical privacy violations due to the comprehensive nature of the stolen identifiers. District officials did not disclose whether the incident involved ransomware, external threat actors, or specific attack vectors beyond unauthorized network access. No information was provided about containment measures, system remediation, or whether law enforcement was involved in the investigation. The notification letters represented the district’s first public acknowledgment of the breach despite its discovery occurring twelve months prior.