90 Degree Benefits Email Breach Exposes 1,268 Healthcare Records

A recent healthcare data breach involving 90 Degree Benefits, Inc. in St. Paul has compromised the protected health information (PHI) of 1,268 individuals. Reported on April 18, 2025, this email-based cyberattack highlights the ongoing vulnerabilities in healthcare data security, particularly among business associates handling sensitive patient information.

What Happened

90 Degree Benefits, Inc., a business associate operating in Wisconsin, experienced a hacking/IT incident that specifically targeted their email systems. The breach was classified as an email-based attack, indicating that cybercriminals likely gained unauthorized access to email accounts containing protected health information.

While the Department of Health and Human Services (HHS) breach report provides limited details about the specific nature of the attack, the classification as a hacking incident suggests this was not an accidental disclosure but rather a deliberate attempt by malicious actors to access healthcare data.

The breach was reported to HHS on April 18, 2025, in compliance with the HIPAA Breach Notification Rule under 45 CFR § 164.408, which requires covered entities and their business associates to report breaches affecting 500 or more individuals within 60 days of discovery.

Who Is Affected

This breach impacts 1,268 individuals whose protected health information was potentially accessed by unauthorized parties. As a business associate, 90 Degree Benefits likely handles PHI on behalf of covered entities such as hospitals, clinics, or other healthcare providers.

Business associates under HIPAA are third-party organizations that perform functions or activities involving the use or disclosure of PHI on behalf of covered entities. Common examples include:

• Claims processing companies
• Data analysis firms
• Billing services
• IT support providers
• Benefits administration companies

Breach Details

Entity: 90 Degree Benefits, Inc. – St. Paul Location: Wisconsin Entity Type: Business Associate Individuals Affected: 1,268 Breach Type: Hacking/IT Incident Breach Location: Email systems Date Reported: April 18, 2025

The email-based nature of this breach is particularly concerning as email systems often contain:

• Patient correspondence
• Medical records attachments
• Insurance information
• Treatment summaries
• Billing details
• Personal identifiers

Email breaches can occur through various methods including:

• Phishing attacks that trick employees into revealing credentials
• Malware infections that provide persistent access to email systems
• Credential stuffing using previously compromised passwords
• Business Email Compromise (BEC) schemes

What This Means for Patients

For the 1,268 affected individuals, this breach could potentially expose various types of protected health information, including:

• Names and contact information
• Social Security numbers
• Health insurance details
• Medical record numbers
• Treatment information
• Billing and payment data

Under 45 CFR § 164.404 of the HIPAA Breach Notification Rule, affected individuals must be notified without unreasonable delay, but no later than 60 days after discovery of the breach. This notification should include:

• A description of what happened
• The types of information involved
• Steps being taken to investigate and mitigate the breach
• What individuals can do to protect themselves
• Contact information for questions

The exposed information could potentially be used for:

• Identity theft
• Medical identity theft
• Insurance fraud
• Financial fraud
• Targeted phishing attempts

How to Protect Yourself

If you believe you may be affected by this breach, take these immediate steps:

Monitor Your Accounts

• Review medical bills and insurance statements for unauthorized charges
• Check credit reports regularly for suspicious activity
• Monitor bank and credit card statements for fraudulent transactions
• Set up account alerts for unusual activity

Protect Your Identity

• Consider placing a fraud alert on your credit reports
• Request a credit freeze if you're particularly concerned
• Update passwords for healthcare and insurance accounts
• Enable two-factor authentication where available

Stay Vigilant

• Be cautious of phishing emails claiming to be from healthcare providers
• Verify requests for personal information through official channels
• Report suspicious activity to the appropriate authorities
• Keep records of all communications related to the breach

Know Your Rights

Under 45 CFR § 164.524, you have the right to:

• Request copies of your medical records
• Know who has accessed your information
• Request restrictions on how your PHI is used
• File complaints with HHS if you believe your rights were violated

Prevention Lessons for Healthcare Providers

This breach serves as a critical reminder for healthcare organizations and their business associates to strengthen their cybersecurity posture. Key prevention strategies include:

Email Security Measures

• Implement advanced threat protection for email systems
• Use email encryption for PHI transmissions
• Deploy anti-phishing solutions with real-time scanning
• Regular security awareness training for all staff

Access Controls

• Multi-factor authentication for all email accounts
• Role-based access controls limiting PHI exposure
• Regular access reviews to remove unnecessary permissions
• Strong password policies with regular updates

Technical Safeguards

• Network segmentation to isolate critical systems
• Endpoint detection and response tools
• Regular vulnerability assessments and penetration testing
• Incident response plans with clear escalation procedures

Business Associate Management

Covered entities must ensure their business associates maintain appropriate safeguards under 45 CFR § 164.314:

• Comprehensive Business Associate Agreements (BAAs)
• Regular security assessments of business partners
• Due diligence reviews before engaging new associates
• Ongoing monitoring of business associate security practices

Compliance Requirements

The HIPAA Security Rule (45 CFR § 164.306) requires:

• Administrative safeguards including security officer designation
• Physical safeguards protecting electronic systems and equipment
• Technical safeguards controlling access to electronic PHI

This breach underscores the critical importance of robust cybersecurity measures in healthcare. As cyber threats continue to evolve, healthcare organizations and their business associates must remain vigilant and proactive in protecting patient information.

The consequences of inadequate security can extend far beyond regulatory penalties, potentially damaging patient trust and organizational reputation. By implementing comprehensive security frameworks and maintaining strict compliance with HIPAA requirements, healthcare entities can better protect the sensitive information entrusted to their care.

Learn how HIPAA Agent can help protect your practice.