Child & Family Services Breach Exposes Personal and Medical Information

Child & Family Services of the Upper Peninsula Inc., a private, nonprofit organization that provides social services to children and families across Michigan's Upper Peninsula, disclosed a data breach that occurred in 2025 involving unauthorized access to two employee email accounts. The email accounts were compromised by an unauthorized party between March 13, 2025, and May 25, 2025.

After the incident was discovered, the organization conducted a thorough forensic investigation with the assistance of external cybersecurity professionals.

The range of information potentially exposed includes full name, Social Security number, date of birth, date of death, driver's license number or state identification card number, health insurance information, medical information, taxpayer information, military identification number, student identification number, payment card information, financial account information, login information, digital or electronic signature, mother's maiden name, birth certificate and marriage certificate.

The breach was disclosed to the Massachusetts Office of Consumer Affairs and Business Regulation on April 21, 2026. The organization posted a notice of the data security incident on its website.

Child & Family Services of the Upper Peninsula's response to the breach

For those whose Social Security numbers were impacted, the organization is offering 12 months of complimentary single-bureau credit monitoring, credit report and credit score services through Cyberscout, a TransUnion company specializing in fraud assistance and remediation services.

Affected individuals can enroll by visiting Cyberscout's activation page and entering the unique code included in their notification letter. Enrollment must be completed within 90 days of the letter date.

The organization has also set up a dedicated toll-free call center at 1-833-877-5368, available Monday through Friday from 8 a.m. to 8 p.m. Eastern time, excluding holidays. The call center will remain active for 90 days from the date of the notification letter.

Steps to take if your information was exposed

• Place a fraud alert or security freeze on credit files by contacting Equifax (1-888-378-4329), Experian (1-888-397-3742) or TransUnion (1-800-680-7289).
• Request free credit reports at AnnualCreditReport.com and review them carefully for unfamiliar accounts or unauthorized inquiries.
• Review explanation of benefits statements from health insurers for medical services not received, since health insurance and medical information were among the data types potentially exposed.
• Monitor financial account and payment card statements closely for unauthorized charges, as payment card and financial account data may have been compromised.
• Be cautious of phishing attempts that reference Child & Family Services of the Upper Peninsula or this breach by name, especially since login credentials were among the potentially exposed data.
• Report suspected identity theft to the FTC at ftc.gov/idtheft or by calling 1-877-438-4338, and consider filing a police report with local law enforcement. Under Massachusetts law, affected residents have the right to obtain a police report regarding this incident.