The Highline School District, serving communities in Washington state, reached a $650,000 class action settlement following a significant ransomware attack that exposed sensitive personal information for approximately 94,102 current and former students and employees. The settlement makes up to $5,000 available to affected individuals who can document out-of-pocket losses resulting from the breach, alongside 12 months of free credit monitoring and identity protection services. This settlement represents one approach to compensating victims after a major educational institution’s security systems failed to prevent unauthorized access to highly sensitive data.
The breach occurred on September 7, 2024, when the district discovered a ransomware attack that forced the closure of all schools and activities for three days. The attack compromised a range of sensitive information including Social Security numbers, driver’s license numbers, medical records, health insurance information, financial account details, passport numbers, birthdates, addresses, employment records, and student identification numbers. The scope of the incident—affecting nearly 94,000 individuals—represents the kind of large-scale educational data breach that has become increasingly common as schools become targets for sophisticated cyber criminals.
Table of Contents
- What Personal Information Was Exposed in the Highline School District Breach?
- How Much Money Is Available in the Highline Settlement and Who Qualifies?
- What Support Services Are Available Beyond the Financial Settlement?
- How Do You File a Claim for Compensation?
- What Are the Limitations and Risks of the Settlement Process?
- Understanding Your Rights as an Affected Individual
- The Broader Context of Educational Data Breaches
What Personal Information Was Exposed in the Highline School District Breach?
The ransomware attack accessed an extensive array of personal data from school records. The compromised information included Social Security numbers, which are particularly valuable to identity thieves because they unlock access to credit accounts, loans, and government benefits. Driver’s license numbers were also exposed, along with medical details and health insurance information—data that could be misused for insurance fraud or to obtain prescriptions and medical services under someone else’s identity. The breach also included financial account information, passport numbers, birthdates, home addresses, employment details, and student ID numbers.
This breadth of exposure matters because attackers can combine different data points to commit multiple types of fraud. For example, a criminal with an individual’s Social Security number, date of birth, and address has enough information to apply for credit cards, take out loans, or file false tax returns. When health insurance information is added to that mix, they might even seek medical treatment or prescription drugs in the victim’s name. The 94,102 individuals affected by this breach likely faced varying levels of exposure depending on their relationship to the district—some as students might have had educational records compromised, while employees might have had more extensive employment and financial information accessed.
How Much Money Is Available in the Highline Settlement and Who Qualifies?
The $650,000 settlement provides up to $5,000 per person for documented out-of-pocket losses directly caused by the data breach. To qualify for compensation, affected individuals must have experienced actual financial or other losses that they can document—such as credit monitoring services they purchased before the district offered free monitoring, identity theft recovery costs, time spent addressing unauthorized accounts or fraudulent charges, or costs associated with credit freezes and monitoring services. The settlement does not provide automatic payments to all affected individuals; instead, it operates on a claims-based model where individuals must submit documentation of their losses.
The key limitation of the $5,000 cap is that it may not fully cover losses for victims who experienced significant identity theft following the breach. For instance, if someone had a fraudulent mortgage application filed in their name, or if they spent hundreds of hours and thousands of dollars restoring their credit and addressing multiple fraudulent accounts, the $5,000 maximum might cover only a portion of actual losses. The settlement also includes provisions for attorney’s fees and claims administration costs, which means the full $650,000 does not go directly to victims—some portion covers the costs of processing claims and compensating the legal counsel who negotiated the settlement.
What Support Services Are Available Beyond the Financial Settlement?
Beyond the financial compensation, the district committed to providing 12 months of free credit monitoring and identity protection services to all affected individuals. This service typically includes continuous monitoring of credit reports for suspicious activity, alerts when someone tries to open new accounts or make significant changes to existing credit profiles, and assistance with freezing credit reports and resolving fraudulent accounts. For many victims, these services provide peace of mind during the critical period immediately following a breach when identity thieves are most likely to act. However, 12 months of monitoring has a clear endpoint—after that period expires, individuals are responsible for their own ongoing monitoring.
This creates a practical limitation for breach victims because identity theft can occur years after a breach, as criminals stockpile stolen data and sell it through dark web marketplaces. Some victims may discover fraudulent accounts opened in their names long after the free monitoring period ends. Additionally, while the district’s commitment to credit monitoring is valuable, it serves as a reactive measure rather than preventing the breach in the first place. The district also committed over $200,000 to data security improvements and infrastructure upgrades intended to prevent future incidents, but this commitment does nothing to help victims who were harmed by the 2024 attack.
How Do You File a Claim for Compensation?
To participate in the settlement, affected individuals must submit a claim by the deadline of April 20, 2026. The claim process typically requires providing evidence of identity as an affected individual (which the district can often verify through its own records) and documentation of losses—such as credit card statements showing fraudulent charges, receipts for credit monitoring services purchased before the district’s free offering, medical bills for unauthorized services, or other proof of out-of-pocket expenses. Claimants can usually file online through the settlement administrator’s website, though some settlements allow postal submissions for those without internet access.
The challenge with claims-based settlements is that many affected individuals do not file claims, either because they are unaware of the settlement, don’t understand the claim process, or don’t have readily available documentation of losses. Studies of data breach settlements have found that claim rates often fall between 5% and 20% of the eligible population, meaning millions of dollars in settlement funds sometimes go unclaimed and revert to the defendant or are donated to related causes. If you believe you were affected and experienced losses, gathering documentation early—credit reports, statements showing fraudulent activity, receipts for protective services—makes the claims process significantly more straightforward.
What Are the Limitations and Risks of the Settlement Process?
One significant limitation is that the settlement may not provide enough information about what happened and how the breach occurred. While the district confirmed the incident was a ransomware attack and notified the FBI, public disclosures about the specific vulnerabilities that allowed attackers entry, the security measures that failed, or whether ransom was paid are often limited. This lack of transparency means that affected individuals may not fully understand how their data was exposed or what measures the district has specifically implemented to prevent recurrence. Ransomware attacks against schools have become increasingly common—over 150 school districts experienced ransomware attacks in 2024 alone—and many investigations reveal that the breaches resulted from common, preventable vulnerabilities like unpatched software or weak multi-factor authentication.
Another risk is that settling the case may discourage the kind of intensive regulatory scrutiny and enforcement action that could force systemic change across educational institutions. State attorneys general and federal regulators have been increasingly active in pursuing data breach cases against schools and other organizations that fail to maintain adequate security. When cases settle, the regulatory pressure often decreases, and the defendant may be required to simply comply with previously established security standards rather than implement genuinely enhanced protections. Additionally, the settlement does not prevent the district from future breaches or guarantee that the $200,000 data security investment will actually be effective—security investments are only valuable if they address the root causes of the breach rather than implementing security theater that appears protective without actually reducing risk.
Understanding Your Rights as an Affected Individual
As an affected individual, you have the right to claim compensation from the settlement if you experienced documented losses, enroll in the free credit monitoring services offered by the district, and receive written notification about the breach and the settlement terms. You also have the right to access your own school or employment records through formal requests, which may help you understand what specific information about you was compromised. Some individuals may also have rights to file complaints with state attorneys general or privacy regulators if they believe the district’s handling of their data violated applicable laws.
It’s important to understand that settling a lawsuit does not prevent you from pursuing separate claims if you later discover additional losses or additional wrongdoing. Some breach victims have pursued separate legal action after initial settlements if they discovered that the extent of misuse was far greater than initially understood or if the defendant’s security practices were egregiously negligent. Additionally, if you have credit insurance or certain homeowner’s insurance policies, your insurance may cover some identity theft losses—checking your policy details may reveal additional avenues for compensation beyond the settlement.
The Broader Context of Educational Data Breaches
The Highline School District breach is part of a troubling pattern of educational institutions struggling with cybersecurity. Schools are particularly attractive targets for ransomware attackers because they typically operate with limited IT budgets, use older software systems, and contain valuable personal information about children, families, and employees. When schools experience ransomware attacks, the criminals often threaten to publish stolen data if the institution doesn’t pay a ransom, creating a difficult choice between paying the extortion or allowing sensitive information to be leaked publicly.
The Highline case demonstrates that even when ransomware attackers are not paid, the data may still be sold or exploited, making the breach consequential for affected individuals regardless of the district’s ransom decisions. Looking forward, educational institutions and policymakers are increasingly recognizing that data breach settlements, while providing some compensation to victims, are essentially the cost of doing business when security is inadequately prioritized. Many education advocates argue that a more effective approach would involve implementing mandatory minimum cybersecurity standards for schools, requiring regular security audits, and holding district leaders personally accountable for negligent security practices. The $650,000 Highline settlement may seem substantial, but when spread across 94,102 affected individuals, it averages less than $7 per person—a stark reality that illustrates both the limitation of settlements as a remedy and the need for preventive approaches that keep breaches from occurring in the first place.
You Might Also Like
- Varsity Brands $1.1 Million Data Breach Class Action Settlement
- T-Mobile $350 Million Customer Data Breach Class Action Settlement
- PharMerica $5.275 Million Patient Data Breach Class Action Settlement
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: