In late August 2023, the University of Michigan became the target of a massive cybersecurity breach. Between August 23 and August 27, unauthorized actors gained access to the university’s network—right as classes were beginning—and quietly extracted sensitive personal information before the university took decisive action.
U of M’s IT team eventually detected the breach and shut down campus-wide internet connectivity, halting access to key services like Wolverine Access, Canvas, email, and registration systems. But the most damning delay came in public disclosure. The university waited nearly two months—until October 23, 2023—to notify the public and affected individuals via formal breach notices.
What Was Exposed?
This wasn’t trivial data—this was deeply personal. U of M revealed that the attackers gained access to:
- Social Security numbers
- Driver’s license or state ID numbers
- Financial account and payment card info
- Health records and sensitive medical details
- Academic transcripts and university ID numbers
- Employee payroll and benefits data
Who Was Impacted?
The reach of the breach was vast. Those affected included:
- Current students (graduate and undergrad)
- Faculty, staff, and research assistants
- Student-athletes and participants in research studies
- Applicants, alumni, donors
- Patients from University Health Service and School of Dentistry
Though early estimates cited close to 230,000 individuals, other reports suggest it may have affected as many as 430,000—the numbers remain subject to evolving updates.
Public and Legal Fallout
The delayed disclosure ignited public outrage. Students and employees were left exposed without warning, forced to scramble to protect themselves. Many critics pointed to the university’s “we have no evidence of misuse” statement as a typical corporate deflection. But victims were already reporting real harms: identity theft, unauthorized financial activity, emotional trauma.
Michigan’s Attorney General Dana Nessel quickly re-issued data breach warnings and offered guidance on how victims could protect themselves—from credit freezes to vigilant monitoring.
Legal Rights of Data Breach Victims in Michigan
Michigan’s Identity Theft Protection Act
Under the Identity Theft Protection Act (Act 452 of 2004), Michigan law requires public institutions and businesses to take reasonable steps to secure personal identifying information—including names, Social Security numbers, driver’s license numbers, and health data.
Importantly, the law also mandates prompt notification of any breach. Victims have the right to be told:
- What data was compromised
- When the breach occurred
- What is being done to contain and correct it
The University of Michigan waited nearly two months to inform victims. That delay alone may constitute a legal violation—and it left thousands of students, employees, and patients vulnerable to harm without even knowing it.
What About Medical Information? HIPAA May Apply
If your health records, diagnoses, treatment history, or medical insurance information were part of the data stolen, U of M’s breach could implicate the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA sets national standards for protecting patient information—and when those standards are violated, institutions can face serious penalties and legal action.
Federal Trade Commission Act: Deceptive Practices
The Federal Trade Commission (FTC) can also investigate data breaches when companies or institutions:
- Misrepresent their data protection policies
- Fail to implement “reasonable” security procedures
If U of M assured students or patients that their data was safe—yet didn’t follow through with adequate safeguards—that could qualify as a deceptive trade practice under federal law.
Potential Legal Claims Against the University of Michigan
Negligence
At the core of most data breach lawsuits is a negligence claim. In legal terms, negligence means U of M had a duty to protect your information, failed to meet that duty, and as a result, you were harmed.
What might constitute negligence?
- Failure to install proper firewalls or encrypt data
- Not responding quickly to cyber vulnerabilities
- Allowing unencrypted or easily accessible data to sit on public-facing systems
- Delayed response in notifying victims
Negligence cases focus on what a “reasonable institution” would have done—and in this case, U of M’s delays and lack of preparation speak volumes.
Breach of Fiduciary Duty
Certain relationships come with a heightened duty of care, and the University of Michigan holds several such roles:
- As a healthcare provider (for patients through Michigan Medicine)
- As a custodian of student-athlete records and financial aid data
If U of M knowingly exposed your private data—or recklessly failed to protect it—it may be liable for breach of fiduciary duty, which is a higher legal standard than simple negligence.
Invasion of Privacy
When confidential personal or health information is wrongfully exposed to third parties, victims may pursue a claim for invasion of privacy. These lawsuits typically center around:
- Public disclosure of private facts
- Intrusion upon seclusion
- Breach of confidentiality agreements
If your data was exposed in a way that caused shame, embarrassment, or reputational harm, this claim could strengthen your case for non-economic damages.
Breach of Contract
Whether you were a student, employee, or patient, you likely entered into some form of written or implied agreement with the university that included promises of privacy and data security.
If U of M’s terms of service, privacy policies, or student-athlete agreements included guarantees to safeguard information—and they failed to do so—you may have a valid breach of contract claim.
Violation of State and Federal Data Protection Laws
As discussed earlier, U of M may have violated:
- Michigan’s Identity Theft Protection Act
- HIPAA (for patient data)
- Federal Trade Commission Act (for unfair or deceptive practices)
These statutory violations open the door to additional legal remedies and potential class-action litigation.
Punitive Damages
In extreme cases, where the conduct is considered grossly negligent, reckless, or deliberately indifferent, Michigan courts may allow punitive damages—intended not just to compensate victims, but to punish the institution and deter future misconduct.
If evidence shows U of M knew about security flaws and failed to act, punitive damages may be on the table.
How Jon Marko and His Team Are Fighting Back
Proven Track Record Against U of M
This isn’t the first time Jon Marko has taken on the University of Michigan—and won.
He was appointed to the Plaintiffs’ Executive Committee in the historic U of M sexual abuse class action, which resulted in a $490 million settlement for victims. That case, like this one, involved deep institutional failures, abuse of trust, and the university’s attempt to protect its reputation instead of its people.
Marko’s role in that case wasn’t symbolic—he was at the center of the fight, shaping legal strategy and helping survivors hold one of the most powerful institutions in the state accountable.
Experience with High-Profile Institutional Misconduct
From police brutality and workplace discrimination to massive civil rights and data privacy cases, Jon Marko has built a career out of challenging the powerful on behalf of the wronged.
He and his team at Marko Law understand how large systems operate—and how they try to cover their tracks. They’ve taken on:
- Government agencies
- Fortune 500 companies
- Major public institutions like U of M
Current Legal Strategies in the U of M Data Breach Case
Right now, Marko Law is actively building its legal response to the breach, including:
- Investigating U of M’s cybersecurity protocols: Was the university following industry standards? Did it ignore known risks? How long did it wait to respond?
- Evaluating damages for different victim groups: The effects of this breach vary depending on whether you’re a student, student-athlete, faculty member, or patient. Jon’s team is assessing the unique losses and risks faced by each group.
- Determining legal pathways: Depending on the facts of your case, you may be eligible to join a class action lawsuit or pursue an individual claim. Marko Law is preparing both tracks.
Empathetic Representation. Relentless Advocacy.
At Marko Law, you're not just a number. You're not a file on a desk. You’re a real person whose trust was violated, and that matters.
Jon Marko and his team treat every client with:
- Compassion and respect
- Clear, honest communication
- Aggressive courtroom advocacy
The University Failed to Protect You. We Won’t.
When you enrolled at the University of Michigan, sought care through its health system, or trusted it with your employment, you never signed up to have your identity stolen. But that’s exactly what this data breach has put at risk—for hundreds of thousands of people.
This wasn’t just a technical failure. It was a breach of duty, a breach of trust, and a breach of your most private information. And the University’s delayed response only made it worse.
At Marko Law, we’re not here to sugarcoat it. We’re here to hold the University of Michigan accountable. We’ve taken on U of M before—and we’re doing it again.
If you were affected by this breach—whether you’re a student, athlete, patient, or employee—you deserve answers. You deserve action. And you may be entitled to real compensation for the very real harm you’ve suffered.
Contact Marko Law for a Free Data Breach Case Evaluation
📞 Phone: +1-313-777-7777
📍 Main Office: 220 W. Congress, 4th Floor, Detroit, MI 48226
🌐 Website: www.markolaw.com
.svg)
