Data breaches are criminal activities that occur when information is stolen or taken from a system without the knowledge or authorization of the owner. The state of Michigan is no stranger to these incidences as it ranks as one of the top ten in the country, with nearly 11,000 victims in 2021. It increased to 13,566 in 2022. This has led to losses totaling $181 million, with no sign that the figures went down in the following years. Most data breach types in Michigan center on institutional network breaches, identity thefts, phishing, personal data breaches, and extortion. The breaches also targeted healthcare, education, and tech facilities.

Identity Theft Statistics

Identity Theft
State Rank (Reports per 100K Population)
Identity Theft Reports
Fraud & Other
State Rank (Reports per 100K Population)
Total Fraud & Other Reports
Total Fraud Losses
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
Identity Theft
Telephone and Mobile Services
Debt Collection
Online Shopping and Negative Reviews
Banks and Lenders
Prizes, Sweepstakes and Lotteries
Credit Bureaus, Iformation Furnishers and Report Users
Auto Related
Internet Services

Top Identity Theft Types

Credit Card Fraud
Other Identity Theft
Bank Fraud
Phone or Utilities Fraud
Loan or Lease Fraud
Employment or Tax-Related Fraud
Government Documents or Benefits Fraud

Michigan's Recent Biggest Data Breaches


Allen Park Public Schools Data Breach

In October 2023, John Tafelski, the assistant superintendent for curriculum and instruction, sent a letter indicating the shutdown of Allen Park Public Schools on Monday. It was in response to a cyber attack that affected some systems. He also assured families and staff that the district was focused on restoring systems so classes would resume as soon as possible. The school district indicated that it could not pinpoint what information may have been at risk for teachers, students, and administrators.


University Of Michigan Data Breach

On August 23rd, 2023, there was suspicious activity following anetwork breach. As investigations continued, the university opted to disconnect the campus network from the Internet. It is believed that the unauthorized party accessed personal information concerning students, applicants, alumni employees, donors, and contractors. They may have accessed driver's licenses, IDs, financial accounts, and Social Security numbers. The university also sent letters to those whose sensitive personal information was involved in the incident.


Mclaren Ransomware Attack

McLaren Michigan, a healthcare provider, was attacked by ransomware in August 2023. The cybercriminal gang known as ALPHV claimed responsibility for the theft, leading to the compromise of 2.2 million patients' information. McLaren also indicated the hackers were in the system for three weeks from July through to August before the company noticed in the month's final week. The company also stated the hackers accessed patients' names, Social Security numbers, dates of birth, billing, claims, diagnoses, and prescription details. Attorney General Nessel also weighed in on the incident, saying that organizations that handle the public's most personal data must implement safety measures to withstand cyber-attacks.


Corewell Health Data Breach

On May 30th, 2023, a cyber attack happened at Welltok, a vendor that provided communication services to Corewell Health in Michigan. The attack exploited the vulnerabilities of the MOVEit Transfer server owned by Welltok's parent company. According to Michigan Attorney General Dana Nessel, it resulted in the information compromise of more than one million residents. The information taken included email addresses, dates of birth, phone numbers, health insurance information, and Social Security numbers. Though the potentially affected people should have gotten a notice of the breach, the state laws do not currently require organizations to share the same with the attorney general's office.


Gentex Ransomware Attack

In May 2023, Gentex acknowledged that it was a victim of a cyberattack by the Dunghill ransomware group. Based in Zeeland, Michigan, Gentex specializes in microelectronics, vision systems, software design, chemical development, microphones, and automated assembly. It is estimated that the information of 5,000 employees was compromised. These included Social Security numbers, emails, and client documents. Gentex did not immediately send out breach letters due to the investigations; however, once it confirmed that employee data was leaked, it began sending out notifications.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach


Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.


Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.


Contain the Breach

Isolate the affected system to prevent further damage.


Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.


Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.


Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.


Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.


Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.


Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.


Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

Businesses must notify each resident of breaches if unauthorized parties obtain their unencrypted personal information. They are also required to do this without unreasonable delay when it is likely to cause identity theft or other losses to the affected population. A delay is only permitted when the notification potentially interferes with a law enforcement agency's investigation. Sensitive data, according to state regulations, include the following:

  1. Addresses, phone numbers
  2. Credit card numbers
  3. Birth dates
  4. Maiden names
  5. Driver's license numbers

The allowed methods for data breach notification of residents include written and telephone notices, though these should not be recorded as electronic notices. Substitute notice is also permitted when the costs of notification are more than $250,000 or more than 500,000 residents have to be notified. If the business is notifying more than 1000 residents, then it also has to notify nationwide consumer reporting agencies without delay on the number, as well as the timing of notices.

If the business maintains a database that includes data that it does not own or license and it discovers a data breach, it is required to give notice to the owner of the information immediately. The notification will be given without unreasonable delay following the breach's discovery. This would be consistent with the measures necessary to determine the scope of the violation of the system.

The data breach requirements can be enforced by the attorney general of the state or a private attorney, but there are no specific requirements in Michigan to inform the AG that there has been a breach.


  • Michigan's foremost law on data breaches is the Identity Theft Protection Act 452 of 2004. It covers the definitions of data breaches, personal information, vital records, web pages, and agencies.
  • According to Act 445.72, organizations are mandated to provide notices of security breaches. That is, unless a person or agency determines that the breach is not likely to cause substantial loss or injury or result in identity theft with respect to 1 or more residents of the state.
  • The Michigan data Security law added Chapter 5A, MCL 500.550 to 565 to the insurance code. It requires that licensed insurers develop, implement, and maintain comprehensive security programs for their databases.