San Diego Unified School District Data Breach Lawsuit Settlement, How Much Money You Can Get

ByAll About Lawyer Reading Time: 13 minutes

San Diego Unified School District agreed to settle a ransomware attack class action that exposed personal information of 45,307 students and staff. If you got a breach notification letter, you can claim up to $2,500 plus free credit monitoring. How much will you actually get? What information was stolen? When’s the deadline?

The settlement got preliminary court approval on September 19, 2025 after an October 2022 ransomware attack compromised Social Security numbers, student records, and employee information. The claim deadline is January 13, 2026—just days away. Final approval hearing is February 6, 2026.

This Could Mean Money and Identity Protection for You

You need to file fast if you’re a parent whose child attended San Diego Unified, a current or former employee, or anyone who received a mailed breach notification from the district.

The October 25, 2022 breach sat undetected while hackers installed ransomware and stole files containing student and employee data. The district waited until December 2022 to report it to California’s Attorney General and didn’t start mailing breach letters to everyone affected until June 2023—eight months after the attack.

If your information was in those stolen files, you’re at permanent risk for identity theft. Your Social Security number doesn’t expire. Criminals can use it years from now to open credit accounts, file fake tax returns, or steal your benefits.

What the San Diego Unified Data Breach Settlement Covers

What Was the San Diego School District Data Breach Lawsuit About?

On October 25, 2022, an unauthorized third party installed ransomware in files on San Diego Unified’s network. According to the lawsuit (G.W., et al. v. San Diego Unified School District, Case No. 37-2023-00035972-CU-BT-CTL), these compromised files included massive amounts of personal information belonging to district employees and students.

The district knew about the attack immediately but didn’t notify the people affected for months. They reported the breach to California’s Attorney General on December 12, 2022—nearly two months after it happened. They sent the first notifications to employees and student families on December 14, 2022.

But it got worse. In April 2023—six months after the breach—the district admitted the attack also hit former employees whose personal data shouldn’t have been on any active servers. They finally sent a third wave of breach letters in June 2023, almost eight months after the hack.

Parents and employees sued, claiming San Diego Unified was negligent, failed to protect their data properly, and violated California’s data breach notification laws. The district denied all wrongdoing but agreed to settle to end the litigation.

How Much Is the San Diego Unified Settlement Worth?

The settlement doesn’t publicly disclose the total fund amount. But here’s what you can claim:

Up to $500 for regular out-of-pocket costs if you have receipts. This covers unreimbursed bank fees, credit monitoring you paid for yourself, credit freezes or unfreezes, notary fees to get affidavits, certified mail costs, gas money or mileage to deal with the breach, and any other documented expenses directly caused by this breach.

Up to $80 for lost time at $20 per hour for up to four hours. You need to describe what you did: freezing your credit, calling your bank, monitoring accounts, dealing with fraud alerts, or anything else related to protecting yourself after the breach. This $80 counts toward your $500 cap on regular losses.

Up to $2,000 for extraordinary losses if you actually suffered identity theft or fraud. You need rock-solid documentation showing the loss is real and unreimbursed, it was more likely than not caused by this breach (not some other data breach or scam), it happened between October 25, 2022 and the January 13, 2026 claim deadline, you made reasonable efforts to prevent or recover the loss, and you exhausted other options like credit monitoring insurance first.

One year of free credit monitoring or $40 cash for minors under 18. If your child was under 18 when the settlement agreement was signed on May 5, 2025, you can choose a flat $40 payment instead of credit monitoring. You can’t claim both the $40 and also file for reimbursement of regular or extraordinary losses.

San Diego Unified School District Data Breach Lawsuit Settlement, How Much Money You Can Get

Who Qualifies for the San Diego School District Data Breach Settlement?

You’re in the settlement class if you’re a California resident who received a mailed notification from San Diego Unified saying your personal information may have been compromised in the October 25, 2022 data breach.

This primarily covers: students who were enrolled in San Diego Unified when the breach happened, parents or guardians whose information was in student files, current employees at the time of the breach, and former employees whose data was still on district servers.

You must have received an actual mailed letter. If you never got a breach notification, you’re probably not in the settlement class.

What Personal Information Was Stolen in the Breach?

The district confirmed files with “considerable amounts of personal information” were compromised, including:

Social Security numbers for employees and possibly students, names and addresses, dates of birth, student records and educational information, personal health information for some individuals, employment records and information, and potentially financial data like direct deposit account numbers.

The lawsuit specifically mentioned that special education information and other highly sensitive materials about minor students may have been exposed. This type of data should be robustly protected by schools under California’s Student Online Personal Information Protection Act (SOPIPA).

How Do I File a Claim for the San Diego Unified Settlement?

Go to SDUSDDataSettlement.com and complete the online claim form. You’ll need information from your breach notification letter. The deadline is January 13, 2026 at 11:59 PM Pacific time.

You can also request a paper form by calling 833-417-4899 or emailing [email protected]. Mail completed paper forms to: G.W., et al. v. San Diego Unified School District, c/o Settlement Administrator, P.O. Box 25191, Santa Ana, CA 92799. Paper claims must be postmarked by January 13, 2026.

For reimbursement claims, you need documentation: receipts for expenses you’re claiming, bank statements showing fees, credit monitoring invoices you paid, proof of any identity theft losses, and a brief description of time spent dealing with the breach.

The stronger your documentation, the better. Vague claims without receipts typically get denied.

What You Must Know About School Data Breach Laws

What Laws Did San Diego Unified Allegedly Violate?

California has multiple laws protecting student and employee data:

California’s data breach notification law requires companies and government agencies to notify affected individuals when personal information is breached. The law sets specific timelines and disclosure requirements. San Diego Unified’s eight-month delay in notifying some victims became a key issue in the lawsuit.

Student Online Personal Information Protection Act (SOPIPA) requires every online service used for K-12 school purposes to maintain reasonable security procedures to protect student personal information from unauthorized access, destruction, or disclosure.

HIPAA (Health Insurance Portability and Accountability Act) applies to schools when they hold medical or health information about students or employees. The breach may have compromised protected health information.

The lawsuit claimed San Diego Unified was negligent by failing to implement reasonable security measures, breached its duty under common law to protect sensitive information, violated California’s Unfair Competition Law, and violated various consumer protection statutes.

Former California Attorney General Kamala Harris emphasized in a 2016 report: “Student information is something that must be handled with great care. As the devices we use each day become increasingly connected, it’s critical that we implement robust safeguards for what is collected, how it is used, and with whom it is shared.”

How Do Data Breach Class Action Settlements Work?

Class action lawsuits let one person (the class representative) sue on behalf of a large group who all suffered similar harm. In this case, parents sued representing all 45,307 people affected.

Here’s the typical process: breach happens, company delays notification or denies responsibility, victims file lawsuits in multiple courts, cases get consolidated into one class action, lawyers conduct discovery to prove negligence, parties negotiate a settlement, court grants preliminary approval, class members get notified and can opt out or object, court holds final approval hearing, and if approved, settlement administrator distributes payments.

You automatically become part of the settlement unless you opted out by December 15, 2025 (that deadline passed). When the court grants final approval on February 6, 2026, anyone who didn’t opt out can’t sue San Diego Unified later for these same claims.

The trade-off: you get guaranteed money without hiring your own lawyer, but you typically get less than if you sued individually and won.

Common Mistakes That Could Disqualify Your Claim

Missing the January 13, 2026 deadline. Courts don’t extend these deadlines for any reason.

Not including documentation for expenses. If you claim $300 in credit monitoring costs but don’t attach receipts or invoices, your claim gets denied.

Filing for your child and also claiming the $40 minor payment. You can pick one or the other, not both.

Claiming losses that happened before October 25, 2022 or after January 13, 2026. The settlement only covers losses during this specific period.

Claiming losses from a different data breach. If you suffered identity theft but it was from the Equifax breach or another company’s hack, this settlement won’t reimburse you.

Not being a California resident. The settlement specifically covers California residents only.

Never receiving a mailed breach notification. If you didn’t get a letter from San Diego Unified about the breach, you’re probably not in the settlement class even if you think your data was exposed.

What to Do Next to Protect Yourself and Get Paid

Step-by-Step: How to File Your Claim Right Now

First, find your breach notification letter from San Diego Unified. It should have arrived by mail sometime in 2023. If you can’t find it, check your files or call the settlement administrator at 833-417-4899 to verify you’re in the class.

Second, gather your documentation. Pull together receipts for any expenses: credit monitoring subscriptions you paid for, bank fees from fraud attempts, certified mail costs for affidavits, gas receipts or mileage logs for trips to banks or government offices, notary fees for identity theft documents, and credit freeze or unfreeze fees.

For time claims, write down what you did: hours spent freezing credit at all three bureaus, time calling banks to report suspicious activity, hours monitoring accounts for fraud, time filing police reports or FTC identity theft reports, and time researching how to protect yourself.

For extraordinary loss claims (the $2,000 option), you need serious documentation: police reports showing identity theft, bank statements showing fraudulent charges, letters from creditors about fraudulent accounts opened in your name, FTC identity theft affidavits, evidence you tried to recover losses through insurance or other means, and proof the losses happened between October 25, 2022 and January 13, 2026.

Third, go online to SDUSDDataSettlement.com. Click the claim form link. Fill it out completely. Upload or attach your supporting documents. Submit before January 13, 2026.

Save your confirmation number. Screenshot it or write it down.

Protect Yourself From Identity Theft After This Breach

Your information is permanently out there. You need ongoing protection:

Freeze your credit immediately. Contact all three credit bureaus—Equifax (800-349-9960 or equifax.com/personal/credit-report-services), Experian (888-397-3742 or experian.com/freeze/center.html), and TransUnion (888-909-8872 or transunion.com/credit-freeze). Freezing is free and prevents anyone from opening new credit in your name.

Enroll in the free credit monitoring. The settlement offers one year of credit monitoring plus $1 million in identity theft insurance. Take it. Sign up when you file your claim.

Monitor your accounts. Check bank statements, credit card statements, and explanation of benefits from your health insurance monthly. Look for charges you didn’t make, accounts you didn’t open, and medical services you didn’t receive.

File your taxes early. Identity thieves use stolen Social Security numbers to file fake tax returns and steal refunds. File as early as possible each year so criminals can’t file before you.

Set up an IRS Identity Protection PIN. Go to irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin and get a six-digit PIN that prevents anyone else from filing with your SSN.

Check your Social Security earnings statement. Go to ssa.gov/myaccount annually to verify nobody is working under your Social Security number.

Consider extended fraud alerts. If you’ve experienced identity theft, place a seven-year fraud alert with the credit bureaus for free. This requires creditors to verify your identity before opening accounts.

Important Deadlines You Cannot Miss

January 13, 2026 at 11:59 PM Pacific: Final deadline to submit claims online or have mailed claims postmarked. Miss this and you get nothing.

February 6, 2026: Final approval hearing in San Diego County Superior Court. You don’t have to attend, but you can. The judge will decide whether to approve the settlement as fair and reasonable.

After final approval: Assuming the judge approves and nobody successfully appeals, the settlement administrator will review all claims, determine payouts, and start issuing payments. This typically takes 60-90 days, meaning payments could start around April or May 2026.

The opt-out and objection deadline was December 15, 2025. If you wanted to exclude yourself or object to the settlement terms, that window closed.

When Should You Talk to a Lawyer?

Most people don’t need a lawyer to file a San Diego Unified settlement claim. The process is free and straightforward.

But consider consulting an attorney if: you opted out of the settlement before December 15, 2025 and want to sue individually; you’ve experienced significant identity theft losses exceeding $2,000; your claim for extraordinary losses gets rejected; you have evidence of additional violations beyond what’s covered in this settlement; or you’re a former employee whose information was improperly retained on active servers.

Data breach and privacy lawyers can evaluate whether you have a stronger individual claim. Under California law, you may be entitled to up to $1,000 per violation or your actual damages (whichever is greater) for certain data breach violations.

Consumer protection attorneys often work on contingency, meaning they only get paid if you recover money. Initial consultations are typically free.

Common Questions About the San Diego Unified Data Breach

Do I Need a Lawyer to File a Claim?

No. Filing is free and doesn’t require an attorney.

The class action lawyers already did the legal work representing everyone. They’ll get their fees from the settlement fund—not from your individual payment. You keep 100% of whatever you’re awarded.

What If I No Longer Have My Breach Notification Letter?

Call the settlement administrator at 833-417-4899. They can verify if you’re in the settlement class using your name and address.

You don’t need the physical letter to file a claim. But if there’s any dispute about whether you received notification, having the original letter helps prove you’re in the class.

Can I File a Claim If My Child Graduated Years Ago?

Yes, if you received a breach notification letter. The settlement covers anyone whose information was compromised in the October 2022 breach, regardless of whether they’re still enrolled in the district.

Former students, former employees, and parents of former students who got breach letters are all eligible to file claims.

How Long Does It Take to Get Settlement Money?

Expect 60 to 90 days after final court approval for payments to start.

Here’s the timeline: February 6, 2026 is the final approval hearing. If approved, there’s usually a 30-day appeal period. Assuming no appeals (or they’re quickly resolved), the settlement administrator starts processing payments around late March or April 2026.

Payments go out in batches. Some people get checks first while others wait a few more weeks.

What Happens If I’ve Already Experienced Identity Theft?

File a claim for extraordinary losses up to $2,000. You need strong documentation.

First, file a police report immediately if you haven’t already. Then file an identity theft report with the FTC at IdentityTheft.gov. Contact the fraud departments of any companies where fraudulent accounts were opened. Place fraud alerts with all three credit bureaus.

When you file your settlement claim, attach copies of: the police report, FTC identity theft affidavit, letters from banks or creditors about fraudulent accounts, bank statements showing fraudulent charges, and evidence you tried to recover losses through other means first.

If your losses exceed $2,000, talk to a consumer protection attorney about pursuing additional legal action against San Diego Unified separately.

Is Credit Monitoring Included in the Settlement?

Yes. All class members who submit a valid claim can get one year of credit monitoring with one-bureau alerts plus $1 million in identity theft insurance.

This is in addition to any credit monitoring San Diego Unified offered right after the breach was discovered. You can get both.

Alternatively, if your child was under 18 on May 5, 2025 (when the settlement agreement was signed), you can take a flat $40 cash payment instead. You can’t take both the credit monitoring and the $40.

What If the Settlement Fund Runs Out?

Unlike some class actions, this settlement doesn’t disclose a total fund amount. Payouts are based on valid claims submitted with proper documentation.

If everyone files for the maximum amounts and claims exceed available funds, the settlement administrator might reduce payments proportionally. But settlements are typically structured to cover reasonable expected claims.

The more people who file frivolous claims without documentation, the smaller the legitimate claims might become. That’s why it’s critical to only claim actual, documented losses you really incurred.

Pro Tip: If you’re eligible for the free credit monitoring, enroll immediately even if you don’t have documented expenses to claim. The identity theft insurance coverage ($1 million) is valuable long-term protection. And credit monitoring will alert you to fraudulent activity before it causes major damage. Don’t leave this benefit on the table.

Last Updated: January 12, 2026 — We keep this current with the latest legal developments in data breach settlements and consumer privacy protections.

Important Legal Disclaimer: This article provides general information about the San Diego Unified School District data breach class action settlement and consumer rights under California data protection laws. It is not legal advice. The San Diego Unified settlement terms and eligibility requirements are based on court documents and the official settlement notice, but individual circumstances may vary. AllAboutLawyer.com does not provide legal services, represent claimants, or process settlement claims. For specific questions about your eligibility or claim status, contact the settlement administrator at 833-417-4899 or visit SDUSDDataSettlement.com. If you need personalized legal advice about a data breach, identity theft, or class action settlement, consult a qualified consumer protection or privacy attorney in your area.

Need help with another major data breach settlement? Learn about the Nelnet Data Breach Class Action Lawsuit $10M Settlement affecting 2.5 million student loan borrowers.

Stay informed, stay protected. — AllAboutLawyer.com

About the Author

Sarah Klein, JD

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah

Leave a Reply

Your email address will not be published. Required fields are marked *