Michigan
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- Michigan’s Recent Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
Data breaches are criminal activities that occur when information is stolen or taken from a system without the knowledge or authorization of the owner. The state of Michigan is no stranger to these incidences as it ranks as one of the top ten in the country, with nearly 11,000 victims in 2021. It increased to 13,566 in 2022. This has led to losses totaling $181 million, with no sign that the figures went down in the following years. Most data breach types in Michigan center on institutional network breaches, identity thefts, phishing, personal data breaches, and extortion. The breaches also targeted healthcare, education, and tech facilities.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
Michigan's Recent Biggest Data Breaches
Allen Park Public Schools Data Breach
In October 2023, John Tafelski, the assistant superintendent for curriculum and instruction, sent a letter indicating the shutdown of Allen Park Public Schools on Monday. It was in response to a cyber attack that affected some systems. He also assured families and staff that the district was focused on restoring systems so classes would resume as soon as possible. The school district indicated that it could not pinpoint what information may have been at risk for teachers, students, and administrators.
University Of Michigan Data Breach
On August 23rd, 2023, there was suspicious activity following anetwork breach. As investigations continued, the university opted to disconnect the campus network from the Internet. It is believed that the unauthorized party accessed personal information concerning students, applicants, alumni employees, donors, and contractors. They may have accessed driver's licenses, IDs, financial accounts, and Social Security numbers. The university also sent letters to those whose sensitive personal information was involved in the incident.
Mclaren Ransomware Attack
McLaren Michigan, a healthcare provider, was attacked by ransomware in August 2023. The cybercriminal gang known as ALPHV claimed responsibility for the theft, leading to the compromise of 2.2 million patients' information. McLaren also indicated the hackers were in the system for three weeks from July through to August before the company noticed in the month's final week. The company also stated the hackers accessed patients' names, Social Security numbers, dates of birth, billing, claims, diagnoses, and prescription details. Attorney General Nessel also weighed in on the incident, saying that organizations that handle the public's most personal data must implement safety measures to withstand cyber-attacks.
Corewell Health Data Breach
On May 30th, 2023, a cyber attack happened at Welltok, a vendor that provided communication services to Corewell Health in Michigan. The attack exploited the vulnerabilities of the MOVEit Transfer server owned by Welltok's parent company. According to Michigan Attorney General Dana Nessel, it resulted in the information compromise of more than one million residents. The information taken included email addresses, dates of birth, phone numbers, health insurance information, and Social Security numbers. Though the potentially affected people should have gotten a notice of the breach, the state laws do not currently require organizations to share the same with the attorney general's office.
Gentex Ransomware Attack
In May 2023, Gentex acknowledged that it was a victim of a cyberattack by the Dunghill ransomware group. Based in Zeeland, Michigan, Gentex specializes in microelectronics, vision systems, software design, chemical development, microphones, and automated assembly. It is estimated that the information of 5,000 employees was compromised. These included Social Security numbers, emails, and client documents. Gentex did not immediately send out breach letters due to the investigations; however, once it confirmed that employee data was leaked, it began sending out notifications.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
Businesses must notify each resident of breaches if unauthorized parties obtain their unencrypted personal information. They are also required to do this without unreasonable delay when it is likely to cause identity theft or other losses to the affected population. A delay is only permitted when the notification potentially interferes with a law enforcement agency's investigation. Sensitive data, according to state regulations, include the following:
- Addresses, phone numbers
- Credit card numbers
- Birth dates
- Maiden names
- Driver's license numbers
The allowed methods for data breach notification of residents include written and telephone notices, though these should not be recorded as electronic notices. Substitute notice is also permitted when the costs of notification are more than $250,000 or more than 500,000 residents have to be notified. If the business is notifying more than 1000 residents, then it also has to notify nationwide consumer reporting agencies without delay on the number, as well as the timing of notices.
If the business maintains a database that includes data that it does not own or license and it discovers a data breach, it is required to give notice to the owner of the information immediately. The notification will be given without unreasonable delay following the breach's discovery. This would be consistent with the measures necessary to determine the scope of the violation of the system.
The data breach requirements can be enforced by the attorney general of the state or a private attorney, but there are no specific requirements in Michigan to inform the AG that there has been a breach.
Laws
- Michigan's foremost law on data breaches is the Identity Theft Protection Act 452 of 2004. It covers the definitions of data breaches, personal information, vital records, web pages, and agencies.
- According to Act 445.72, organizations are mandated to provide notices of security breaches. That is, unless a person or agency determines that the breach is not likely to cause substantial loss or injury or result in identity theft with respect to 1 or more residents of the state.
- The Michigan data Security law added Chapter 5A, MCL 500.550 to 565 to the insurance code. It requires that licensed insurers develop, implement, and maintain comprehensive security programs for their databases.
Resources
- Corewell Health Data Breach Exposes Info of One Million Michigan Patients
- AG Nessel Notifies Michigan Residents of McLaren Ransomware Attack Threatening to Expose Patient Data
- AG Nessel Re-Issues Data Breach Alert Following University of Michigan Network Infiltration
- Data Breaches: What to Do Nextdata-breaches
- Identity Theft Protection Act (EXCERPT) Act 452 of 2004
- Identity Theft Protection Act- 445.72 Notice of security breach; requirements.
- Michigan Insurance Data Security Law.