90 Degree Benefits, Inc. – St. Paul Data Breach 2025: 1,268 Affected · Email Account Compromise · WI. Filed With HHS OCR. What To Do.
90 Degree Benefits, Inc. – St. Paul (WI) filed a HIPAA breach notification with the HHS Office for Civil Rights on April 18, 2025, reporting 1,268 affected individuals after an attacker accessed a single employee email account containing protected health information. State AG filings began April 8, 2025; complimentary credit monitoring was offered through Experian IdentityWorks.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Oct 18, 2024
Unauthorized actor gained access to a single employee email account.
Dec 17, 2024
Investigation confirmed the actor had accessed certain emails and attachments containing PHI.
Apr 8, 2025
Notice filed with the Texas Attorney General; individual notification letters mailed.
Apr 18, 2025
HIPAA breach notification filed with HHS OCR for the St. Paul / Wisconsin entity (1,268 individuals).
Apr 18, 2025
Disclosed publicly
Apr 19, 2025
Notice filed with the California Attorney General.
Oct 18, 2024
Unauthorized actor gained access to a single employee email account.
Dec 17, 2024
Investigation confirmed the actor had accessed certain emails and attachments containing PHI.
Apr 8, 2025
Notice filed with the Texas Attorney General; individual notification letters mailed.
Apr 18, 2025
HIPAA breach notification filed with HHS OCR for the St. Paul / Wisconsin entity (1,268 individuals).
Apr 18, 2025
Disclosed publicly
Apr 19, 2025
Notice filed with the California Attorney General.
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
90 Degree Benefits, Inc. – St. Paul filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on April 18, 2025, reporting 1,268 affected individuals in Wisconsin. The incident stemmed from an attacker gaining unauthorized access to a single employee email account that contained protected health information held in the company’s role as a third-party benefits administrator and HIPAA business associate.
Broader notices filed with the Texas and California Attorneys General show the underlying email-account compromise affected several thousand individuals nationwide across multiple 90 Degree Benefits entities. The 1,268 figure on the OCR portal reflects the Wisconsin / St. Paul subset specifically.
Timeline
- October 18, 2024 — An unauthorized actor first accessed a single employee email account at 90 Degree Benefits.
- December 17, 2024 — Investigation confirmed that the actor had accessed certain emails and attachments containing personal and protected health information.
- April 8, 2025 — Notice filed with the Texas Attorney General; individual notification letters mailed to affected persons.
- April 18, 2025 — HIPAA breach notification filed with HHS OCR for the St. Paul / Wisconsin entity, reporting 1,268 affected individuals.
- April 19, 2025 — Notice filed with the California Attorney General.
The roughly six-month gap between initial access and confirmation, followed by another four months before individual notification, is on the long end of what HIPAA’s 60-day clock contemplates. The clock typically runs from the date the breach is discovered, which 90 Degree Benefits has dated to the December 17, 2024 investigation conclusion rather than the October 18, 2024 access date.
What was exposed
According to the company’s notice and state AG filings, the information that may have been accessed varies by individual but includes:
- Name
- Date of birth
- Medical information
- Health insurance information
- Social Security number (for a subset of affected individuals)
- Member ID (for a subset of affected individuals)
The HHS OCR portal classifies the breach location as Email, which is consistent with the email-account compromise described in the state filings.
What 90 Degree Benefits is offering
Affected individuals were offered complimentary credit monitoring and identity restoration services through Experian IdentityWorks. The company also stated it secured the affected email account, engaged outside cybersecurity professionals to investigate, reviewed its processes, and provided additional training to employees.
The notice states there is “currently no evidence of actual or attempted misuse” of the information, which is standard language and does not preclude future misuse.
Class-action posture
As of this writing, multiple plaintiffs’ firms — including Console & Associates P.C., Strauss Borrelli PLLC, and Shub Johns & Holbrook LLP — have publicly announced investigations into the 2024–2025 incident, but no consolidated class action specific to this incident has been confirmed filed.
Note: a separate $990,000 class-action settlement in Fernandez, et al. v. 90 Degree Benefits LLC, et al. (E.D. Wis.) resolves claims arising from two earlier 2022 breaches at 90 Degree Benefits and is unrelated to the October 2024 email-account incident covered on this page.
What to do if you may be affected
- Activate the offered credit monitoring. If you received a notification letter from 90 Degree Benefits, enroll in the Experian IdentityWorks coverage. It is paid for and adds nothing to your risk profile.
- Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against identity theft. A credit freeze and credit monitoring are complementary, not redundant.
- Watch your health-plan EOBs for charges or claims you do not recognize. Medical identity theft tends to surface in benefit statements before it shows up in credit reports.
- Be alert for targeted phishing. Because the attacker had access to real email correspondence, follow-on phishing attempts may reference accurate details about your plan or providers. Do not click links or call numbers from any message claiming to be from 90 Degree Benefits — go to the company’s website directly or use the phone number printed on your insurance card.
- Keep the notification letter. It establishes your standing if a class action is later filed and certified.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- Console & Associates notice via JD Supra — summary of the company’s notification letter.
- HIPAA Agent breach report — independent summary of the OCR portal entry.
- ClaimDepot breach summary — timeline and data-element detail drawn from state AG filings.
- Strauss Borrelli PLLC investigation — plaintiffs’ firm investigation page.
- Massachusetts Attorney General breach filing index — state breach-notice repository (filing 2025-693).
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Console & Associates notice via JD Supra
- HIPAA Agent breach report
- ClaimDepot breach summary
- Strauss Borrelli PLLC investigation
- Massachusetts Attorney General breach filing index (2025-693)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.