One-sentence summary:
90 Degree Benefits was breached twice in 2022, affecting at least 181,000+ members and resulting in a class-action lawsuit.
Who was involved?
90 Degree Benefits – MN/WI (Minnesota and Wisconsin), 181,543 customers, and a threat actor.
What was the timeline?
December 5, 2022: Breach starts
December 10, 2022: 90 Degree Benefits detects the attack
December 11, 2022: Breach stops
February 8, 2023 & March 10, 2023: 90 Degree Benefits begins initial rounds of consumer notification
April 7, 2023: 90 Degree Benefits provides notice to Maine residents
April 21, 2023: Class-action lawsuit is filed against 90 Degree Benefits in federal court in Wisconsin (Greek et al. v. 90 Degree Benefits Inc. et al., 2023)
What occurred?
90 Degree Benefits was breached in December 2022, resulting in the potential disclosure of the following information for over 181,543 members: “name, address, date of birth, Social Security number, medical/health information, and/or information related to the payment of healthcare services” (90 Degree Benefits, 2023; Flunker, 2023). A class-action lawsuit has been filed in Wisconsin federal court against 90 Degree Benefits due to the breach (Greek et al. v. 90 Degree Benefits Inc. et al., 2023). 90 Degree Benefit’s earlier breach in 2022 is cited against the company in the lawsuit (Greek et al. v. 90 Degree Benefits Inc. et al., 2023, p. 3). That breach affected a similar number– over 172,450 members per HHS (HHS, 2022).
Estimated costs:
Associated incident response costs, breach notification costs, “leading independent digital forensics firm,” litigation defense costs, 12 months of IDX identity services, M-F call center
Involved laws:
Federal: HIPAA and HITECH
Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 45 (Greek et al. v. 90 Degree Benefits Inc. et al., 2023, p. 14)
State: Maine: 10 M.R.S.A. § 1346
Wisconsin: WIS. STAT. §146.81, et seq. (Greek et al. v. 90 Degree Benefits Inc. et al., 2023, p. 39)
WISCONSIN DECEPTIVE TRADE PRACTICES ACT, WIS. STAT. §§100.18, et seq., (Greek et al. v. 90 Degree Benefits Inc. et al., 2023, p. 44)
Root cause:
TBA or N/A (see disclaimer)
Lessons learned:
TBA or N/A (see disclaimer)
Sources:
90 Degree Benefits. (2023). Notice of Data Event – 90 Degree Benefits – ME – Exhibit 1.pdf. In Data Breach Notifications. Office of the Maine Attorney General. Retrieved May 4, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/63dc7639-6b70-49b4-8b2d-ee70207dc575/771e85ff-b310-47fa-a0eb-b8b0650d5605/document.html
90 Degree Benefits (appadvice.com). (n.d.). 512x512bb.jpg. appadvice.com. https://is3-ssl.mzstatic.com/image/thumb/Purple112/v4/42/15/c9/4215c9e9-6566-3623-a689-788b5184240e/AppIcon-0-0-1x_U007emarketing-0-0-0-3-0-0-sRGB-0-0-0-GLES2_U002c0-512MB-85-220-0-0.png/512x512bb.jpg
Flunker, B. (2023). Data Breach Notifications. In Privacy, Identity Theft and Data Security Breaches. Office of the Maine Attorney General. Retrieved May 4, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/63dc7639-6b70-49b4-8b2d-ee70207dc575.shtml
Greek et al. v. 90 Degree Benefits Inc. et al., 2023, Case No. 23-cv-511 (E.D. Wis. 2023). https://www.classaction.org/media/greek-et-al-v-90-degree-benefits-inc-et-al.pdf
HHS. (2022). Cases Currently Under Investigation. In Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. U.S. Department of Health and Human Services Office for Civil Rights. Retrieved May 4, 2023, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Commentary:
I will provide a separate report for the February 2022 breach and update this report.