Child & Family Services of the Upper Peninsula Data Breach Lawsuit Investigation, Were Your Records Exposed?
Prepared by the AllAboutLawyer.com Editorial Team and reviewed for factual accuracy against the Massachusetts Office of Consumer Affairs and Business Regulation disclosure filing and the official CFSUP breach notice on April 25, 2026. Last Updated: April 25, 2026
Child & Family Services of the Upper Peninsula Inc., a private nonprofit that provides social services to children and families across Michigan’s Upper Peninsula, disclosed a data breach involving unauthorized access to two employee email accounts that were compromised between March 13, 2025 and May 25, 2025. The breach was disclosed to the Massachusetts Office of Consumer Affairs and Business Regulation on April 21, 2026. If you received a notification letter from CFSUP, or if you were a client, employee, or program participant of the organization, your most sensitive personal, medical, and financial records may have been sitting in an unauthorized person’s hands for over a year before you were told.
Quick Facts: Child & Family Services of the Upper Peninsula Data Breach
| Field | Detail |
| Organization | Child & Family Services of the Upper Peninsula, Inc. (CFSUP) |
| Breach Type | Unauthorized access to employee email accounts |
| Breach Period | March 13, 2025 — May 25, 2025 |
| Breach Discovered | April 6, 2026 |
| Breach Disclosed | April 21, 2026 |
| Number of People Affected | TBD — total not yet disclosed in public filings |
| Who Is Affected | Clients, program participants, employees, and others whose data was stored in CFSUP email accounts |
| Data Exposed | Names, SSNs, dates of birth, driver’s license numbers, health insurance, medical information, financial account data, payment card data, login credentials, and more |
| Current Lawsuit Status | Pre-litigation investigation — no class action filed as of April 25, 2026 |
| Court & Jurisdiction | TBD — no case filed yet |
| Free Credit Monitoring | 12 months via Cyberscout (TransUnion) — enrollment required within 90 days of notification letter |
| CFSUP Call Center | 1-833-877-5368 (Mon–Fri, 8 a.m.–8 p.m. ET) |
| Official Breach Notice | cfsup.org/notice-of-data-security-incident |
| Last Updated | April 25, 2026 |
What Is the Child & Family Services of the Upper Peninsula Data Breach About?
CFSUP has been providing social service programs throughout Michigan’s Upper Peninsula since 1919. It is a private, nonprofit, nonsectarian organization that collaborates with the Michigan Department of Health and Human Services, Community Mental Health agencies, state and local law enforcement, health departments, substance abuse treatment providers, family courts, school systems, hospitals, and local prosecutors. This is an organization that holds some of the most sensitive records imaginable — files on children in foster care, families in crisis, substance abuse treatment participants, and vulnerable individuals across Michigan’s Upper Peninsula.
The email accounts were compromised by an unauthorized party between March 13, 2025, and May 25, 2025. After the incident was discovered, the organization conducted a forensic investigation with the assistance of external cybersecurity professionals. The breach was not discovered until April 6, 2026 — nearly eleven months after it began. That gap between when an unauthorized party accessed CFSUP’s email accounts and when affected individuals were notified is one of the central concerns attorneys are now evaluating as they assess potential legal claims.
The range of information potentially exposed includes full name, Social Security number, date of birth, date of death, driver’s license number or state identification card number, health insurance information, medical information, taxpayer information, military identification number, student identification number, payment card information, financial account information, login information, digital or electronic signature, mother’s maiden name, birth certificate, and marriage certificate.
Related article: Capital One Data Tracking Lawsuit, They Secretly Sent Your Financial Data to Meta and Google Lawsuit Alleges
This is one of the most comprehensive data exposures in a single breach event — almost every category of personally identifiable information and protected health information that could be held in an email account. To understand how similar healthcare-adjacent data breach class actions develop once attorneys file lawsuits, see our detailed coverage of the Conduent data breach class action affecting over 25 million individuals.
Are You Part of the Child & Family Services of the Upper Peninsula Data Breach?
Here is how to know whether this incident may have affected your information.
You are likely affected if:
- You received a notification letter from Child & Family Services of the Upper Peninsula about this breach
- You were a client, program participant, or recipient of services from CFSUP at any time before May 25, 2025
- You are or were an employee of CFSUP whose records were stored in the organization’s email systems
- You participated in CFSUP programs including foster care, adoption services, family preservation, substance abuse treatment, mental health services, or any other program the nonprofit administered
- Your records — including your personal identification, health insurance, or financial information — were stored in or transmitted through CFSUP employee email accounts during the breach window
You may not be affected if:
- You have no documented relationship with CFSUP and did not receive a notification letter
- You only interacted with CFSUP in a professional or regulatory capacity and your personal records were not maintained in the compromised email accounts
If you are unsure whether your data was compromised, CFSUP has set up a dedicated toll-free call center at 1-833-877-5368, available Monday through Friday from 8 a.m. to 8 p.m. Eastern time, excluding holidays. Call that number directly to ask whether your records were included in the breach.
What Are Plaintiffs’ Attorneys Seeking in This Investigation?
No class action lawsuit has been filed against Child & Family Services of the Upper Peninsula as of April 25, 2026. This is an active pre-litigation investigation — attorneys are currently gathering information from affected individuals to assess whether a class action meets the legal threshold for filing.
What attorneys are evaluating centers on a set of specific legal theories common to data breach litigation of this type: negligence in failing to protect sensitive personal, medical, and financial records; breach of implied contract to keep client and employee information secure; violation of the Federal Trade Commission Act’s reasonable data security standards; and inadequate or delayed notification to affected individuals. The nearly eleven-month gap between when the breach began and when CFSUP disclosed it — discovered April 6, 2026, for an incident that started March 13, 2025 — is a central fact attorneys are examining.
If a class action is filed and succeeds, affected individuals could seek compensation for the real harm unauthorized access to this data creates — identity theft losses, time spent monitoring and protecting their information, fraudulent medical or financial account activity, and the ongoing risk of future harm from exposed credentials and Social Security numbers. No compensation is available right now, and no claim form exists. What you can do right now is protect yourself and preserve your rights for when litigation moves forward. Similar data breach cases involving nonprofits providing social services, like the Patelco Credit Union ransomware breach that resulted in a $7.25 million settlement, show that organizations entrusted with sensitive personal data face real financial accountability when courts find their security measures fell short.
What Should You Do Right Now If You Were Affected?
You cannot file a claim yet — no lawsuit has been filed and no settlement fund exists. But the actions you take in the next few days and weeks directly affect both your personal security and your legal options.
Enroll in the free credit monitoring immediately. For those whose Social Security numbers were impacted, CFSUP is offering 12 months of complimentary single-bureau credit monitoring, credit report, and credit score services through Cyberscout, a TransUnion company specializing in fraud assistance. Affected individuals can enroll by visiting Cyberscout’s activation page and entering the unique code included in their notification letter. Enrollment must be completed within 90 days of the letter date. Do not wait — this window closes. Accepting free credit monitoring does not waive your right to participate in any future class action lawsuit or receive compensation if a settlement is reached.
Place a credit freeze on all three bureaus. A credit freeze is free, prevents new accounts from being opened in your name, and is the single most effective protection against identity theft. Contact Equifax at 1-888-378-4329, Experian at 1-888-397-3742, or TransUnion at 1-800-680-7289. You must contact each bureau separately.
Protect yourself from targeted phishing. Be cautious of phishing attempts that reference Child & Family Services of the Upper Peninsula or this breach by name, especially since login credentials were among the potentially exposed data. Any email or call that claims urgency and references CFSUP should be treated with extreme suspicion until verified through the organization’s official call center number.
Review your health insurance accounts carefully. Because health insurance information and medical information were among the data types potentially exposed, review your Explanation of Benefits statements from your insurer for any services you did not receive. Medical identity theft — where someone uses your insurance to receive care billed to your account — is one of the most damaging consequences of healthcare data breaches.
Save everything. Keep your notification letter, any communications from CFSUP, and documentation of any suspicious activity, fraudulent charges, or identity theft incidents with dates and amounts. These records establish your connection to the breach and support any future legal claim.
Child & Family Services Data Breach Timeline
| Milestone | Date |
| Breach Begins | March 13, 2025 |
| Breach Ends | May 25, 2025 |
| Forensic Investigation Completed | TBD — exact completion date not publicly disclosed |
| Breach Discovered by CFSUP | April 6, 2026 |
| Breach Disclosed to Regulators | April 21, 2026 |
| Notification Letters Sent | April 21, 2026 (ongoing) |
| Credit Monitoring Enrollment Deadline | 90 days from the date of your notification letter |
| Class Action Investigation Status | Active pre-litigation investigation — no lawsuit filed as of April 25, 2026 |
| Expected Lawsuit Filing | TBD — dependent on attorney investigation outcome |
| Expected Settlement Timeline | TBD — data breach class actions of this type typically take 12–36 months from filing to resolution |
Frequently Asked Questions
Is there a class action lawsuit against Child & Family Services of the Upper Peninsula?
Not yet. As of April 25, 2026, attorneys are actively investigating potential claims following the breach disclosure. No formal complaint has been filed in court. If a class action is filed, you will be notified automatically if you qualify as a class member.
Do I need to do anything right now to protect my legal rights?
You do not need to file anything or pay anyone. The most important steps right now are enrolling in the free credit monitoring before your 90-day window closes, placing credit freezes at all three bureaus, and saving your notification letter and any documentation of harm. These steps protect you personally and preserve your legal options.
What specific data was exposed in the Child & Family Services of the Upper Peninsula breach?
The range of information potentially exposed includes full name, Social Security number, date of birth, date of death, driver’s license number or state identification card number, health insurance information, medical information, taxpayer information, military identification number, student identification number, payment card information, financial account information, login information, digital or electronic signature, mother’s maiden name, birth certificate, and marriage certificate. Not every data type was exposed for every individual — the specific information affected varies by person.
Why did it take almost a year before CFSUP notified affected individuals?
After the incident was discovered, the organization conducted a forensic investigation with the assistance of external cybersecurity professionals. The breach was discovered on April 6, 2026, and disclosed to regulators on April 21, 2026. The breach itself ran from March 13, 2025 to May 25, 2025 — meaning the unauthorized access was not detected for approximately ten months. The adequacy of CFSUP’s security monitoring and the timeliness of its notification are both central issues in the attorney investigation currently underway.
Can I file my own individual lawsuit against CFSUP?
You can consult a data breach compensation attorney about individual legal options. Most people are better served by a class action, which pools resources and legal expertise at no cost to individual members. If you have already suffered significant documented losses from identity theft or financial fraud tied to this breach, an individual consultation is worth pursuing. Many data breach attorneys offer free initial consultations.
How will I know if a class action lawsuit is filed against CFSUP?
If a lawsuit is filed and the court certifies a class, all qualifying individuals will receive formal court notice. You can also check the official CFSUP website at cfsup.org and monitor for updates. Bookmark this page — AllAboutLawyer.com will update it as developments occur.
Is the free credit monitoring CFSUP is offering enough protection?
The 12 months of single-bureau credit monitoring through Cyberscout is a starting point, but it is not a complete solution. Single-bureau monitoring only covers one of the three major credit bureaus. For full coverage, place freezes at Equifax, Experian, and TransUnion separately. Credit monitoring alerts you after suspicious activity occurs — a freeze prevents it from happening in the first place. Do both.
Can I still be compensated if I enroll in the free credit monitoring CFSUP offered?
Yes. Accepting free credit monitoring from CFSUP does not waive your right to participate in any future class action lawsuit or receive monetary compensation if a settlement is reached. The two are completely separate.
Sources & References
- Massachusetts Office of Consumer Affairs and Business Regulation — Breach Disclosure Filing (April 21, 2026): https://www.mass.gov/doc/2026-613-child-family-services-of-the-upper-peninsula-inc/download
- Official CFSUP Data Security Incident Notice: https://cfsup.org/notice-of-data-security-incident/
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah