blue cross of new mexico data breach

90 Degree Benefits Reports Data Breach Affecting over 163,000

‣ California Attorneys Investigate on Behalf of Affected Employees

On June 10, 2022, 90 Degree Benefits, Inc., an Alabama-based company that provides benefit plan services for employers and employees, reported a data breach to the California Attorney General’s Office affecting over 163,000 people nationwide.

According to 90 Degree Benefits, from February 24, 2022 to February 27, 2022, its Wisconsin location “experienced a data security incident that impacted certain systems.” On April 21, 2022, 90 Degree Benefits determined that the data that could have been accessed as a result of the incident related its client’s employees and health plan members.

Active attorney investigation into this data breach and its causes is ongoing, and we hope to have additional details soon about the nature of the breach and the types of data at risk. So far, 90 Degree Benefits has identified that “personal information” and Social Security numbers may have been included.

90 Degree Benefits is offering either 12 or 24 month complimentary identity monitoring and protection services through IDX. There is a deadline for enrollment listed on the notice.

The full text of the 90 Degree Benefits Notice of Data Breach can be found here.

Special California Laws Protect You From Data Breach Harms

If you are a California resident and received a Notice of Data Breach from 90 Degree Benefits you may be entitled to between $100 and $1,000 plus actual damages resulting from the negligent release of your confidential information, depending on the nature of the data that was improperly accessed.

California has unique state laws, including the California Consumer Privacy Act (CCPA) and the California Confidentiality of Medical Information Act (CMIA) that compensate individuals whose confidential and sensitive data have been accessed and disclosed. Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again) and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from occurring again.

Corporations Should Be Held Accountable For Data Breaches

When businesses decide to collect and keep personal data about California employees, under California law they take on the obligation to protect that information and keep it safe from hackers, thieves, and other criminals. This personal data is incredibly valuable to criminals who want to sell that information on the dark web to identity thieves and other black marketeers. However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”[1] The stakes are high: Data breach victims are more likely to also be victims of additional fraud.[2]

Cybercrimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate is under $20 per record, depending on the type of information, according to Privacy Affairs Dark Web Index of 2021. Certain critical types of personal information – like Social Security numbers, names, and birth dates – are impossible, or almost impossible, to change.

Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities. “The effects of a health data breach on consumers outlast the initial breach.”[3] Once you know your data has been disclosed, it is reasonable to take action to avoid concerns that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.


[1] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).

[2] Same

[3] Source: R. Bonta, California Attorney General, BULLETIN: Obligation to Proactively Reduce Vulnerabilities to Ransomware Attacks and Requirements Regarding Health Data Breach Reporting (2021).