A class-action lawsuit filed in King County Superior Court follows a September 2024 cybersecurity breach at Highline School District in which unauthorized actors accessed district technology systems containing sensitive personal information.

The affected data belonged to current and former students, employees, and other individuals whose information was stored in district systems at the time.

Following the reported cyberattack, schools across the district were shut down for nearly a week as technology systems were taken offline to contain the incident. District officials later acknowledged that restoring affected systems took many months, underscoring the scale and complexity of the breach and its long-term operational impacts. Months later, the full scope of the exposure is still coming into focus. For many families, recent notices are not a first warning, but a reminder that exposed data can remain vulnerable long after a breach is disclosed.

On April 11, 2025, the lawsuit, Y.G.R. and V.G.R., minors, by and through their parent and guardian Ana G. Robles Solis, et al. v. Highline School District, was filed on behalf of individuals whose data was exposed in the breach. The complaint alleges negligence, violations of Washington’s Data Breach Disclosure Law, breach of implied contract, unjust enrichment, and invasion of privacy arising from the September 2024 incident.

The plaintiffs are represented by attorneys Timothy W. Emery and M. Anderson Berry of Emery Reddy, PLLC. Highline School District denies wrongdoing and is represented by attorneys Amanda Harvey and Kayleigh Watson of Mullen Coughlin LLC. In September 2025, the parties reached a proposed settlement agreement, which is now pending final approval by King County Superior Court Judge Michael Scott. Minors are identified by initials in court filings to protect their privacy, a standard practice in cases involving children and sensitive personal information.

Who was affected and why notices are still arriving

Court filings state that approximately 94,102 individuals were identified as potential settlement class members based on Highline’s records of data stored in its systems at the time of the breach, regardless of how long ago those individuals were affiliated with the district.

That group includes former students and employees who may no longer live locally or have had contact with the district for years. Some individuals who graduated more than 20 years ago report receiving settlement postcards, raising questions about long-term data retention.

Many families have also reported on social media that settlement notices arrived listing dozens of individuals who do not live at their address, prompting concerns that some affected people, including children, may never receive notice because contact information is outdated.

Photo of postcard regarding Highline Schools Data Breach Settlement notification mailed to 94,102 Highline Schools past and present students, teachers.

What data was affected

Court filings and settlement notices state that the compromised files varied by individual, but may have included:

  • Names and home addresses
  • Dates of birth
  • Social Security numbers
  • Financial account information
  • Medical and health insurance information
  • Student identification numbers
  • Student records and demographic information

Not every individual had the same data exposed, but breaches involving children’s personal information raise particular concern.

Why children’s data poses long-term risk

Children do not monitor credit reports or financial accounts, making identity theft involving minors especially difficult to detect. A stolen Social Security number or birthdate may not surface until years later, when the child applies for college aid, housing, or employment.

Because student records are often retained long after graduation, data breaches involving school systems can carry consequences well into adulthood. Previous reporting by Burien News has highlighted the increased risk created by collecting and storing large volumes of student data over long periods of time.

What the lawsuit provides

Under the proposed settlement, affected individuals may submit claims for reimbursement of documented out-of-pocket losses, up to $5,000 per person. Eligible expenses may include fraud-related losses, credit monitoring costs, bank fees, postage, travel, and certain documented lost time.

Families may also opt out of the settlement to preserve the right to pursue individual legal action, object to the settlement terms, or take no action and remain bound by the agreement without compensation. Highline has also agreed to invest more than $200,000 in data security improvements, though details have not yet been fully disclosed.

What parents can do now

Parents can take several steps to protect their children:

  • Review any notice received and keep it for records
  • Check whether a child has an active credit file
  • Place a free credit freeze for minors
  • Monitor mail and financial activity
  • Document time and expenses related to responding to the breach
  • Decide how to participate in the settlement before deadlines

Parents should also know that most non-required surveys used by the district allow families to opt out, including numerous invasive, personal surveys that collect social, emotional, or behavioral data.

District response and next steps

The Highline Journal contacted Highline School District with questions about the scope of the breach, long-term data retention, and whether the district plans to reduce non-required data collection. As of publication, the district had not responded. This section will be updated if a response is received.

This is an ongoing story, and the Highline Journal will continue reporting as more information becomes available.

Share this article
The link has been copied!