traffic_analyzer/DigitalVision V

Lawsuit Strikes 90 Degree Benefits After 181K-Impacted Data Breach

The plaintiffs seek class-action status in a lawsuit against 90 Degree Benefits, citing weak security measures that failed to keep patient privacy under lock and key in the December 2022 data breach

90 Degree Benefits, a health insurance company, is in hot water as a proposed class-action lawsuit emerges, following a data breach that jeopardized the privacy of more than 181,543 individuals.

The plaintiffs, Steven Greek and Jon Boyajian, alleged that the attack could have been prevented, and that it occurred due to 90 Degree Benefits’ inability to establish and uphold necessary security measures.

“The PII and PHI that Defendants failed to protect with reasonable safeguards can be used by criminals alone, and in conjunction with other pieces of information, to perpetrate crimes against Plaintiffs and Class members that can result in significant liability and damage to their money, property, creditworthiness, reputation, and their ability to prove their identity, pay current loans, improve their credit, and/or obtain loans on favorable terms in the future,” the lawsuit alleged.

The health insurance company discovered unauthorized system activity around December 10, 2022. Following a thorough forensic investigation, 90 Degree Benefits confirmed that unauthorized access to specific systems and files containing customers' personal information occurred between December 5 and December 10, 2022.

The information potentially included names, Social Security numbers, addresses, dates of birth, phone numbers, and health information.

Despite being aware of the situation, the defendants did not notify the affected individuals about the data breach or suspicious activity until at least April 7, 2023. Consequently, numerous patients were left uninformed about the theft of their sensitive information, possibly exchanged on the dark web.

The lawsuit alleged that 90 Degree Benefits knew or should have been conscious of their susceptibility to hacking attempts, taking into account the significant rise in healthcare data breaches.

The filing goes on to mention that 90 Degree Benefits had already endured a significant data breach in February 2022.

“Less than a year earlier, in February 2022, Defendants experienced a similar but different data breach,” the plaintiffs mentioned. “Accordingly, Defendants were on direct notice of the need to implement advanced data security protections but clearly failed to do so.”

Primarily, the lawsuit aims for class action status and a jury trial. Additionally, it requests reimbursement for out-of-pocket expenses and various preventative actions.

The plaintiffs believe that HIPAA-covered business entities, such as 90 Degree Benefits, should, at the very least, adopt several best practices and industry standards.

These include “educating all employees; strong passwords; multi-layer security, including firewalls, anti-virus, and anti-malware software; encryption, making data unreadable without a key; multi-factor authentication; backup data; and limiting which employees can access sensitive data.”

While the lawsuit does not specify any settlement amounts, it's worth noting that settlements are a typical resolution for healthcare data breach cases, and they can result in substantial payouts.

One example is the DNA Diagnostics Center, which agreed to pay a $400,000 settlement to resolve a lawsuit stemming from a cyberattack resulting in a healthcare data breach in 2021.

Next Steps

Dig Deeper on HIPAA compliance and regulation