How much should we really trust an organization that doesn't even use SSL for their login page or secure report delivery. If you go to http://www2.uthscsa.edu/nnsis/ and try to get a secure report, you'll get redirected to a login page (http://www2.uthscsa.edu/nnsis/logon.cfm?target=enterdata) that isn't secure. I mean that is like the bare minimum to securing data. How much you want to bet that they have the kids personally identifiable information sitting on some easy to access table? Also isn't this a violation of HIPAA? I know that not using SSL is a violation, also encryption of the personally identifiable information has to be encrypted on disk as well..