Cyber Incident Victim: 90 Degree Benefits
Date:
Feb 2023
Location:
United States of America
Summary
An employee benefits firm experienced a second large-scale hacking incident compromising protected health information of approximately 175,000 individuals via unauthorized network server access. Following a prior breach impacting over 172,000 people, the Wisconsin-based company notified federal regulators without disclosing specifics about exposed data types, though previous attacks involved sensitive personal identifiers including names, addresses, and Social Security numbers. The incident reflects recurring cybersecurity challenges for the organization involving external threats targeting its systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The February 8, 2023, data breach reported by 90 Degree Benefits impacted approximately 175,000 individuals through unauthorized access to the company’s network server. Identified by the Wisconsin-based employee benefits provider as a hacking and IT security incident, this event represented the second major breach disclosed by the firm within a twelve-month period. The notification was submitted to the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) on the reporting date, though the company did not immediately publish a public notice on its official website detailing the breach. No specific timeline of unauthorized network access, intrusion methods, or duration of the compromise was publicly confirmed for the 2023 incident, nor did initial disclosures specify the exact categories of protected health information (PHI) involved beyond the broad designation of a network server compromise.
This breach followed a prior cybersecurity incident reported by 90 Degree Benefits to HHS OCR on June 6, 2022, affecting 172,450 individuals. The 2022 breach involved unauthorized access to the company’s systems between February 24 and February 27, 2022, with forensic investigations confirming potential theft of personally identifiable information including names, addresses, and Social Security numbers. That earlier intrusion was discovered on February 27, 2022, triggering an incident response process that concluded with regulatory reporting nearly four months later. The repetition of a large-scale breach affecting similar victim demographics within consecutive years indicated persistent vulnerabilities in the organization’s network infrastructure. No remediation measures, policy changes, or security enhancements undertaken between the two incidents were documented in the available public reporting of the 2023 breach. Impacted individuals in the latest incident were not noted to have received complementary identity protection services or detailed notifications specifying data exposure particulars at the time of the HHS filing.