90 Degree Benefits Data Breach Exposes Social Security Numbers

In October 2024, HPHG, LLC dba 90 Degree Benefits, a Texas-based third-party administrator specializing in self-funded health benefit plans, experienced a significant data breach involving an employee’s email account. On October 18, 2024, suspicious activity was detected, and an investigation revealed that an unauthorized actor had gained access to the email account. By December 17, 2024, it was determined that certain emails and attachments within the compromised account were accessed by the intruder.

The review concluded that sensitive information was exposed and involved included names, dates of birth, medical information, and health insurance information. For some individuals, personally identifiable information (PII) such as Social Security numbers and member identification numbers were also at risk, while protected health information (PHI) like medical and insurance details was part of the breach.

The impact of the breach was substantial, affecting 5,104 individuals in Texas and 213 in Massachusetts, with a small number of Rhode Island residents also impacted.

The breach was officially disclosed to the Texas Attorney General’s office on April 8, 2025, to the U.S. Department of Health and Human Services on April 18, and to the California Attorney General’s office on April 19.

The breach was the result of unauthorized access to a single employee’s email account, which allowed the attacker to view emails and attachments containing sensitive information. There is currently no evidence of actual or attempted misuse of the information, but the nature of the breach—compromising both PII and PHI—makes it a serious incident for those affected.

90 Degree Benefits's response

In response to the breach, 90 Degree Benefits acted quickly to secure the affected email account and launched a thorough investigation with the help of cybersecurity professionals. The company reviewed its processes and provided additional training to employees to help prevent similar incidents in the future.

To support those affected, 90 Degree Benefits is offering complimentary credit monitoring and identity restoration services through Experian IdentityWorks for a period of several months. Impacted individuals are encouraged to enroll in these services by following the instructions provided in the mailed notification letter. The company is also urging everyone affected to remain vigilant by monitoring their credit reports, insurance statements, and medical bills for any suspicious activity.

If you have received a notification letter, it is important to take the following steps:

• Enroll in the complimentary Experian IdentityWorks credit monitoring service before the deadline.
• Regularly review your credit reports and health insurance statements for unauthorized or suspicious activity.
• Consider placing a fraud alert or credit freeze with the major credit bureaus.
• Report any suspected identity theft to law enforcement and your state attorney general.

The company has set up a dedicated assistance line at 866-530-9923, available Monday through Friday from 8:00am to 8:00pm Central Time (excluding major US holidays), to answer questions and provide support.

For further details, you can also review the official data breach notices on the Texas Attorney General’s data breach reports page, the California Attorney General’s data breach notification site, and the U.S. Department of Health and Human Services breach portal.