Company managing retirement plans for some Oregon school districts hit by data breach

PORTLAND, Ore. — A data breach hit a company that manages retirement plans for several school districts in Oregon, potentially compromising employee’s personal information. 

The Tigard-based company, Carruth Compliance Consulting, identified “suspicious activity” on Dec. 21, 2024, that impacted how some computer systems are operated. An investigation determined that certain systems in their network were accessed without authorization between Dec. 19 and Dec. 26, and some files were copied from their systems. The company said it provided notice of the data breach on Jan. 13.

The data breach impacted data from several school districts, including the Beaverton School District (BSD), Portland Public Schools (PPS), the Parkrose School District and the Hillsboro School District. It may have compromised employee’s person information, such as social security numbers, driver’s license numbers, W-2 information, medical billing information and tax filings. The school districts are working with the company and said they are taking steps to mitigate the impact to their employees.

According to BSD, anyone who has been employed by the district since 2009 would be impacted, whether or not the company was actively managing their retirement savings plans. A spokesperson for the school district said that it can be difficult to contact and notify former employees, causing an added challenge that some other districts may also be dealing with.

PPS released a statement saying, in part, “While the recent data breach occurred at Carruth Compliance Consulting, we are collaborating with them to assess and mitigate any impact. Protecting sensitive data remains a top priority, and we will continue to strengthen security measures and work to prevent such incidents in the future.”

Carruth Compliance Consulting encourages people to take the following steps if they think they were impacted by the data breach: