Data breaches occur following unauthorized access and acquisition of personal or financial information. Perpetrators of these crimes typically do so for financial gain, considering the monetary value such information has at the present age. Wisconsin experiences its fair share of data breach incidents, the most common being stolen identities, malware, hacking, and ransomware. In 2022, the state ranked 22nd in the nation for the number of victims, and the losses totaled more than $108 million. The subject earnings or amount swindled per subject was as high as $25,846,107. Cybercriminals also typically target government institutions, educational facilities, technology, and healthcare organizations.

Identity Theft Statistics

Identity Theft
State Rank (Reports per 100K Population)
Identity Theft Reports
Fraud & Other
State Rank (Reports per 100K Population)
Total Fraud & Other Reports
Total Fraud Losses
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
Identity Theft
Telephone and Mobile Services
Online Shopping and Negative Reviews
Prizes, Sweepstakes and Lotteries
Banks and Lenders
Debt Collection
Auto Related
Internet Services
Credit Bureaus, Iformation Furnishers and Report Users

Top Identity Theft Types

Credit Card Fraud
Other Identity Theft
Bank Fraud
Loan or Lease Fraud
Employment or Tax-Related Fraud
Phone or Utilities Fraud
Government Documents or Benefits Fraud

Wisconsin's Recent Biggest Data Breaches


Medical College of Wisconsin Data Breach

In November 2023, the Medical College of Wisconsin filed a data breach notice due to infiltration of their systems by an unauthorized party. They learned about the vulnerability from the MOVEit transfer incident. The Medical College of Wisconsin also hired external cybersecurity experts to investigate the situation. It determined that sensitive information such as birth dates, names, Social Security numbers, driver's license data, and medical treatment information was taken. The MCW also notified all of the affected individuals, numbering 240,667.


Advarra, Inc. data breach

Advarra, a pharmaceutical company, experienced a data breach in October 2023 where personally identifiable data was accessed. An unauthorized party accessed an email account belonging to one of their employees. The company immediately deactivated the account but also initiated an investigation with the assistance of third parties. It was determined that names, employee numbers, statuses, Social Security numbers, phone numbers, and salary information were compromised. This incident also affected 1,765 individuals. Advarra provided credit monitoring services to those affected through third-party outlets. It is also in the process of setting up a call center.


Elmbrook School District of Wisconsin Data Breach

In August 2022, the school district learned of a system breach where files were accessed and removed. Chief Strategy Officer Chris Thompson stated that the perpetrators were professional cyber criminals and that this attack was not something their antivirus could clean up. The Elmbrook School District also announced that a limited number of student educational records were released on the dark web. It did not include Social Security numbers. Considering the nature of the breach, the district offered a one-year complimentary membership to a credit monitoring service to all affected. The breach also targeted other k-12 school districts in other parts of the country.


Wisconsin Department of Health Services Data Breach

Wisconsin Department of Health Services stated on August 8, 2022, the company had experienced a cyber security threat. Following its discovery, the DHS removed the meeting minutes from the website and replaced them with a PDF version. DHS also took definitive steps to confirm that those who received the minutes by email also deleted these files. Notifications were also mailed to the Medicaid members, numbering 12,358. It also provided 12 months of membership to a credit monitoring service. Members can also get access to a dedicated call center to get answers to any questions they may have.


Forefront Dermatology Data Breach

In July 2021, ForeFront Dermatology, a Wisconsin-based healthcare organization, experienced a data breach that exposed more than 2.3 million records. According to ForeFront, an investigation was conducted to determine which parties accessed the company's networks between May 28 and June 4. During this time, they also took their network offline and alerted the authorities concerning what was going on. It was determined the criminals accessed patient information, including names, birth dates, account numbers, member ID details, medical records, provider names, and treatment information. The organization faced a class action suit and had to pay $3.75 million to those affected.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach


Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.


Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.


Contain the Breach

Isolate the affected system to prevent further damage.


Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.


Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.


Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.


Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.


Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.


Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.


Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

Regardless of how vigilant a business may be, data breaches and infiltration can still occur. That is whether it is the result of hackers or negligence from the employees. Per Wisconsin's data breach laws, personal information refers to names, Social Security numbers, financial account details, credit card numbers, and access codes. Wisconsin's breach notification law is different from that of other states, though. It requires that entities notify the state's attorney general and the consumer reporting agencies. The other difference is the Wisconsin regulation does not have a time frame for notification of the affected people. The company needs to notify them without an unreasonable delay, which allows flexibility depending on circumstances.

Notices will be issued via mail or the entity's established method to communicate with the subject. If the entity previously did its correspondences by email, it must be done similarly. At the written request of the person whose data was also acquired, the entity has to illustrate the nature of the information obtained. When an entity cannot determine the mailing address of the person who has been affected, and there was no previous communication in any other way, the organization has to provide notice in a reasonably calculated way to issue notice.

During situations where the personal information of more than 1,000 people was compromised in one incident, the entity has to issue notice to all consumer reporting agencies. There are cases where law enforcement requests a delay in notification of the affected persons significantly if the notice interferes with an ongoing investigation.


  • Wisconsin statute 134.98 deals with the Notice of unauthorized acquisition of personal information. The statute defines personal information and the notices required from businesses when there is a breach of information. It also details the timing and manner of notice and the regulated entities exempt from providing a notice.
  • Wisconsin statute 995.55 forbids educational facilities, landlords, and employers from requiring tenants, employees, or students to reveal access data for their particular internet accounts. It also prohibits educational institutions, landlords, or employers from discriminating against taking adverse actions against students, employees, or tenants who refuse to disclose their personal information.