Comment by jovial_cavalier

Similar story: the dean of my "high school" [1] asked me to create our school website. Another student apparently poked around on a network drive and found an SQL dump of all the students' network username/passwords. I brought this file to the dean, told them it was available on a shared drive (so they could remove it), and asked if they'd like me to use it -- since I already had it -- to enable all the students to log in to the school website with their existing network usernames/passwords. They said that was a great idea and gave me the OK.

A week later, police escorted me from my dorm and both I and the other student were eventually expelled and threatened with harsh legal action, which never came.

[1] The "high school" was an early-entrance-to-college program where we started college at 16, lived on campus, took the normal freshman/sophomore college courses, and eventually received a high school diploma and an Associate of Science when we graduated at 18. The website was for the school I attended, but the SQL dump included all of the university students as well. The school has since shut down.

> whether or not they had a nut allergy (protected by HIPAA)

Personal pet peeve:

Your high school is not a covered entity and is not acting as a business associate of a covered entity. HIPAA does not apply. They are free to keep a plaintext file with your name, nut allergies, COVID vaccination status, and anything else they want to put in there - without HIPAA entering into the discussion.

FERPA could apply, but I don't know much about that.

Wow. That's terrifying. And you didn't even run anything!

I'm guessing that they never told you "don't browse this network drive"?