A recent data breach may have compromised the personal information of tens of thousands of school employees across the state. Oregon’s three largest school districts — Portland, Salem-Keizer and Beaverton — were all hit.
Carruth Compliance Consulting discovered suspicious activity on its computer systems last month. Carruth is a Tigard-based, third-party administrator that handles retirement savings plans for many Oregon school districts. Some higher education institutions, including Chemeketa Community College, were also affected.
An investigation revealed that unauthorized access to Carruth’s network occurred in late December, Beaverton School District officials shared, resulting in the compromise of sensitive employee data for Carruth’s clients. Carruth sent out a notice of the breach on Jan. 13.
This breach compromises data for all employees who have been employed by the Beaverton School District since 2009, officials said, regardless of whether or not Carruth was actively managing their 403(b) or 457(b) retirement savings plans.
The breach goes back further in other districts.
FILE- The Salem-Keizer Public Schools logo photographed outside the district's Student Support Services Center on Dec. 7, 2023, in Salem, Ore. Salem-Keizer, the state's second largest school district, was part of the Carruth data breach pool.
Natalie Pate / OPB
Portland Public Schools officials said the breach potentially impacts all employees who have been employed by PPS over a quarter century — from November 2000 to January 2025. Salem-Keizer Public Schools officials and Hillsboro School District officials said the breach impacts those employed between 2008 and today. More school districts and possibly other public agencies were also affected by the breach.
District officials say the information that’s been shared potentially includes employee names, social security numbers, dates of birth, pay information, and contribution amounts to non-PERS retirement savings accounts. Carruth officials said it did not include medical records.
Additional information employees may have shared directly with Carruth may have been compromised as well, such as beneficiaries, power of attorney, financial account information, driver’s license numbers, W-2 information, medical billing information and tax filings.
Districts are trying to get the word out so current and former employees take action.
Beaverton’s FAQ on the breach says employees will not receive any notification from Carruth verifying that their information was compromised. Instead, they should proactively take these steps:
- Enroll in credit monitoring and identity restoration services: Carruth offers free credit monitoring and identity restoration services through IDX. To enroll, call IDX at 877-720-7895.
- Monitor your accounts: Regularly review your retirement savings plans, bank accounts, credit card statements and other financial accounts for suspicious activity. If you see anything unusual, report it to your financial institution immediately.
- Check your credit reports: You’re entitled to one free credit report annually from each of the three major credit reporting bureaus (Equifax, Experian and TransUnion). Visit www.annualcreditreport.com or call 1-877-322-8228 to order free reports.
- Consider placing a fraud alert or credit freeze on your credit report to help protect yourself from identity theft.