Child & Family Services Data Breach Investigation
Child & Family Services of the Upper Peninsula, Inc. has posted a notice about a reported data security incident involving two employee email accounts. According to the notice, the organization later determined that personal health information may have been subject to unauthorized acquisition, and the types of information potentially involved varied by person. If you received a letter, it is important to review the notice carefully, protect your credit, and watch for unusual financial or medical activity. You can also fill out the form on this page to see whether you may qualify for a claim.
Child & Family Services of the Upper Peninsula, Inc. is a Michigan-based organization. The publicly available materials provided here do not specify an industry classification, but the organization posted a notice on its website about a reported data security incident. That notice is the primary public source for the information summarized below.
Key Facts at a Glance
- Company: Child & Family Services of the Upper Peninsula, Inc. (CFSUP)
- Notice date: According to the public notice, affected individuals were notified on April 21, 2026.
- What the notice says happened: CFSUP reported a security incident involving two employee email accounts.
- Activity window identified in the notice: Personal health information may have been subject to unauthorized acquisition between March 13, 2025, and May 25, 2025.
- When the issue was identified: The notice says CFSUP discovered on or about April 6, 2026 that information may have been affected.
- Information that may have been involved: Data varied by individual and may have included names, Social Security numbers, dates of birth, driver’s license or state ID numbers, health insurance information, medical information, financial account information, and other sensitive records.
- Affected population: A public total was not specified in the materials reviewed.
- Support offered: The notice says complimentary credit monitoring was offered to individuals whose Social Security numbers were impacted.
- Company contact listed in the notice: 1-833-877-5368
What Happened?
According to CFSUP’s website notice, the incident involved two employee email accounts. The organization says it secured its email environment and started an investigation with assistance from external cybersecurity professionals. After a forensic review and manual document review, CFSUP reported that it determined on or about April 6, 2026 that personal health information may have been subject to unauthorized acquisition during an earlier period.
The notice also states that letters were sent by U.S. mail where mailing addresses were available. CFSUP further stated that it had no evidence that information had been or would be misused, but it still encouraged affected people to take precautionary steps. No public count of affected individuals was identified in the source materials provided here.
What Information Was Exposed?
CFSUP says the types of information potentially involved varied by individual. Based on the notice, the information may have included a broad range of personal, health, and financial data rather than a single uniform set for every person.
- Identity information: full name, Social Security number, date of birth, date of death, driver’s license number, state identification card number, taxpayer information, military identification number, student identification number, and mother’s maiden name.
- Health-related information: health insurance information and medical information.
- Financial or account-related information: payment card information, financial account information, and login information.
- Other sensitive records: digital or electronic signature, birth certificate, and marriage certificate.
If your letter listed specific data elements, focus first on those items. A person whose Social Security number, financial information, or medical information may have been involved may face different risks than someone whose exposed data was limited to basic contact or identifying information.
What Should You Do Next?
- Read your notice carefully. Check whether the letter identifies the specific information that may have been involved and whether you were offered credit monitoring. If you have questions about the company’s notice, CFSUP listed a response line at 1-833-877-5368.
- Consider placing a fraud alert or security freeze. A fraud alert can make it harder for someone to open new credit in your name, and a freeze adds stronger protection by restricting access to your credit file.
- Get your free credit reports. Review reports from the major credit bureaus for unfamiliar accounts, inquiries, or address changes. If you see suspicious activity, dispute it right away.
- Watch your financial and medical statements. Because the notice says health and financial data may have been involved, review bank activity, payment card statements, explanation of benefits forms, and insurance communications for anything unusual.
- Be alert for phishing and account misuse. If login information or other sensitive records may have been involved, update passwords on important accounts, use unique passwords, and enable multi-factor authentication where possible.
- Keep records and ask questions early. Save the notice, note any time spent dealing with the issue, and document suspicious events. If you want to understand your legal options, you can fill out the form on this page to see whether you may qualify for a claim.
Your Legal Rights
If your personal information may have been involved in a reported security incident, you may have legal rights under state or federal law depending on the facts. Those rights can include the right to receive notice, the right to accurate information about the categories of data at issue, and the ability to seek relief if you suffered fraud, unreimbursed losses, or significant time and expense protecting yourself.
Potential claims often depend on details such as what information was involved, when the organization learned of the issue, what safeguards were in place, and whether affected people faced an increased risk of identity theft or medical privacy harm. The public notice also references extra consumer protections for some residents, including Massachusetts residents’ right to obtain a police report related to the incident.
Every situation is different. Reading the notice, preserving your records, and getting informed about your options can help you make sound decisions without waiting for problems to get worse.
Why Hire Strauss Borrelli PLLC?
Strauss Borrelli PLLC represents individuals in data breach and privacy matters and understands how to analyze security incident notices, investigate what information may have been involved, and evaluate whether affected people may have viable claims. Our team focuses on clear, practical guidance for people dealing with identity theft risk, financial uncertainty, and the stress that follows a notice like this.
If you received a letter connected to the reported Child & Family Services of the Upper Peninsula incident, Strauss Borrelli PLLC can help you understand the issues, preserve relevant records, and assess next steps. Contacting a lawyer does not commit you to a case, but it can help you better understand your rights and options.
If you received a breach notification letter from Child & Family Services of the Upper Peninsula:
We would like to speak with you about your rights and potential legal remedies in response to this data breach. Please fill out the form, below, or contact us at 872.263.1100 or sam@straussborrelli.com.
