Cyber Incident Victim: 90 Degree Benefits
Date:
Feb 2022
Location:
United States of America
Summary
A cybersecurity incident at 90 Degree Benefits involved unauthorized network access by malicious code, leading to potential exposure of sensitive protected health information. The breach resulted in unauthorized data removal affecting patient demographics, Social Security numbers, health insurance details, medical records, diagnoses, treatment dates, and billing information. Upon detecting suspicious activity, the organization suspended user access, implemented enhanced security protocols, initiated forensic investigations, and notified law enforcement to mitigate further risks and remediate impacted systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 20, 2022, Baptist Medical Center and Resolute Health Hospital, both operated by Baptist Health System in Texas, detected suspicious unauthorized network activity prompting an immediate security response. The hospitals suspended user access to affected systems and activated extensive cybersecurity protection protocols to contain the potential breach. Subsequent forensic investigations determined that an unauthorized third party had infiltrated certain hospital network systems between March 31 and April 24, 2022, during which malicious code was deployed and data was exfiltrated. The nearly month-long access period allowed threat actors to remove sensitive information from hospital networks before detection occurred. Law enforcement agencies were promptly notified of the intrusion as part of the coordinated incident response.
The compromised data included multiple categories of protected health information and personally identifiable information, specifically affecting patient demographics, Social Security numbers, health insurance policy details, medical record numbers, diagnosis codes, treatment dates, and billing/claims records. While the exact number of affected individuals remains undisclosed, the hospitals confirmed the incident potentially exposed sensitive clinical and financial information. Baptist Health System initiated mitigation measures to remediate vulnerabilities and prevent further unauthorized access following forensic findings. No evidence suggests public disclosure of stolen data occurred through hospital communications. The organization emphasized its serious approach to information security through immediate investigative actions, system protections, and regulatory compliance efforts following the discovery.