Cyber Incident Victim: ManAlive Inc.

On August 24, 2016, the Baltimore-based nonprofit addiction treatment facility Man Alive, Inc. suffered a cyberattack resulting in the theft of sensitive patient data. The attacker, using the alias "Return," claimed to have compromised the organization through a social engineering scheme targeting an employee. A malicious Word document containing embedded code was downloaded, infecting the employee's computer and enabling unauthorized access to the patient database. The stolen data, which included highly sensitive personal and treatment information, was subsequently listed for sale on the dark web marketplace crdclub.su. Patient records contained names, dates of birth, full Social Security numbers, addresses, phone numbers, physical descriptions, driver’s license details, employment status, emergency contacts, and treatment specifics such as admission dates, methadone usage, provider names, and payment methods. While not all fields were populated for every patient, the dataset exposed Medicaid enrollment status for many individuals, though insurance account numbers were not included in the breach.

DataBreaches.net first learned of the incident through a tip in late August 2016 and verified the authenticity of sample data provided by the attacker. After unsuccessful attempts to contact Man Alive outside business hours, the outlet alerted the Baltimore FBI field office, which declined to intervene. "Return" attempted to extort the clinic by demanding 15 Bitcoin (BTC) to prevent the data sale, but no payment was made as of September 7. Man Alive, a HIPAA-covered entity, reported the breach to the U.S. Department of Health and Human Services on September 9, confirming 860 affected individuals. The compromised information remained publicly listed for sale with no indication of a negotiated resolution between the clinic and the threat actor at the time of reporting.