Dear HSHMC Families,
[MAY 12 UPDATE from Instructure CEO Steve Daly]
We know that for many of our customers, concerns about the potential publication of data related to this incident remain top of mind. We want to acknowledge those concerns directly – we understand how unsettling situations like this can be, and protecting our community is also a top priority for us.
With that responsibility in mind, we reached an agreement with the unauthorized actor involved in this incident. As part of that agreement, the data was returned to us, we received assurances that it will not be further shared on the dark web or elsewhere, and we received proof that any copies of that data were deleted. Further, we have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise. While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give our customers additional peace of mind, to the extent possible.
We are sharing this update in the continued interest of transparency and so that our customers know that we have addressed this element of the incident directly. To reiterate, the agreement covered all of our customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.
We appreciate your patience and trust as we continue to respond to this incident thoughtfully and comprehensively. We remain committed to providing meaningful updates as our work progresses.
[May 6 UPDATE]
Health Sciences High and Middle College uses an online learning platform called Canvas. Instructure, the parent company of Canvas, suffered a nationwide data breach that may have exposed personal information of students and educators. At this time there is no indication that passwords, dates of birth, or government identifying information were part of the data breach. The reports from Canvas made clear that there was no additional action the school could have taken to prevent the breach. The investigation is ongoing and if further details are made available the school will communicate accordingly.
Instructure’s Chief Executive Officer Steve Daly wrote: “On April 25, 2026, Instructure experienced a cybersecurity incident perpetrated by a criminal threat actor. We detected the attacker on April 29 and immediately revoked the access. On April 30, as the investigation expanded, we revoked additional suspicious access and addressed the underlying vulnerability. We have found no indicators of an ongoing threat.”
Despite the assurances from Instructure that the incident has been contained, we wanted to make you aware that this breach has provided unauthorized access information to some to Health Sciences High and College Families. Instructure is working with urgency to complete their investigation and evaluating additional security measures.
We take your safety and security very seriously. At the school,
• We will continue to take all the steps possible to further secure and protect your private information and prevent further unauthorized access or misuse.
• We will continue to provide you with any information or updates or recommendations that we receive from Instructure that may affect your personal information.
This incident is yet another reminder of the importance of cybersecurity to safeguard against scams. Always be aware of requests for information or unsolicited offers for products or services you receive from unknown sources. Be suspicious of any email that asks you to act, click a link, or divulge information immediately to claim a reward or avoid penalty. Always be aware of any emails that request sensitive information. Scammers often make offers that are too good to be true or try to scare you into taking action that divulges personal information.
Protecting our students is something we take seriously. With Instructure’s help, more information and resources will be provided to you as they become available. Thank you for your patience and understanding.
