[BobbyTables2]

Was it really a problem? Yes, voluntary release of that info by a school would normally likely be a FERPA violation, but this was a criminal act against a third party.

Infrastructure’s motivations must have lain elsewhere…

[erikerikson]

Does that really shield the schools? HIPAA wouldn't care.

[bijowo1676]

educational LMS should not store real patient health data, so thats the problem of whoever designed that system.

[erikerikson]

The question was whether the same transitive responsibility applies to FERPA, not whether HIPAA data is involved.