Cyber Incident Victim: Stanley Street Treatment and Resources
Date:
Nov 2022
Location:
United States of America
Summary
A healthcare provider experienced a data breach where an unauthorized party accessed its computer systems and removed confidential patient files. The compromised information included names, Social Security numbers, government identification details, dates of birth, financial account data, medical diagnoses, treatment histories, and health insurance information. Approximately 45,785 individuals were affected by the incident. The organization notified law enforcement, engaged third-party cybersecurity experts to investigate, and sent breach notifications to impacted parties. As a Massachusetts-based provider offering addiction treatment and primary care services across multiple locations, the incident exposed sensitive personal and health data of patients to potential identity theft and fraud risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Stanley Street Treatment and Resources, Inc. (SSTAR) discovered unauthorized access to its computer systems that resulted in the removal of confidential patient files, prompting the organization to report a data breach to the U.S. Department of Health and Human Services Office for Civil Rights on November 11, 2022. The breach occurred when an external party gained entry to SSTAR's network and exfiltrated sensitive information, leading the healthcare provider to engage law enforcement and initiate a third-party forensic investigation to assess the scope of the compromise. Investigators confirmed that the attackers successfully accessed and removed files containing personally identifiable information and protected health data belonging to patients. The compromised records included first and last names, Social Security numbers, driver’s license or state identification numbers, dates of birth, financial account details, dates of medical service, diagnostic information, treatment and medication histories, and health insurance data. SSTAR conducted a comprehensive review of the affected files to identify impacted individuals and determine the specific data elements exposed for each patient. The breach affected 45,785 individuals receiving addiction treatment, primary care, women's health services, and other medical programs across SSTAR's facilities in Fall River, Massachusetts, and Cranston, Rhode Island.
Following confirmation of the data exposure, SSTAR issued notification letters to all affected patients on November 11, 2022, detailing the compromised information types and advising on identity theft protection measures. The organization publicly disclosed the incident through a formal Notice of Data Security Incident posted on its website alongside regulatory filings. SSTAR did not disclose the specific attack vector or duration of unauthorized access within its systems but emphasized collaboration with cybersecurity professionals to investigate the intrusion. As a regional healthcare provider generating $24 million annually with over 250 employees, the breach exposed vulnerabilities in SSTAR's data security infrastructure despite its operational scale and established presence since the 1970s. The incident compromised multiple categories of sensitive information critical to patient privacy under health data protection regulations, though SSTAR did not report evidence of misuse or fraudulent activity involving the stolen data at the time of disclosure.