Posted On December 2, 2022 Consumer Privacy & Data Breaches
On November 11, 2022, Stanley Street Treatment and Resources, Inc. (“SSTAR”) filed notice of a data breach with the U.S. Department of Health and Human Services Office for Civil Rights after the company learned that an unauthorized party accessed and removed files containing confidential patient information from its computer network. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ first and last names, date of birth, Social Security numbers, driver’s license numbers, state identification numbers, financial account information and protected health information. After confirming that consumer data was leaked, SSTAR began sending out data breach notification letters to 45,785 individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the SSTAR data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Stanley Street Treatment and Resources, Inc.
The available information regarding the Stanley Street Treatment and Resources breach comes from the company’s filing with the U.S. Department of Health and Human Services Office for Civil Rights. SSTAR also posted a “Notice of Data Security Incident” on its website. According to these sources, Stanley Street Treatment and Resources recently learned that an unauthorized party was able to access the organization’s computer system and remove certain files. In response, SSTAR alerted law enforcement and then began working with a third-party data security firm to investigate the incident and determine whether any sensitive patient information was leaked as a result.
The SSTAR investigation confirmed that an unauthorized party was not only able to access its computer system but also that they removed some of the files. It was discovered that the files contained confidential patient information.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Stanley Street Treatment and Resources began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your full name, Social Security number, government identification number, date of birth, financial account information, dates of service, medical diagnosis and conditions information, medical treatment and medications information, and health insurance information.
On November 11, 2022, Stanley Street Treatment and Resources sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Founded in the late 1970s, Stanley Street Treatment and Resources, Inc. is a healthcare provider based in Fall River, Massachusetts. The company provides a wide range of services to patients, including in-patient addiction treatment, outpatient addiction treatment, stabilization, acupuncture, women’s health and general primary care services. SSTAR has locations in Fall River, MA and Cranston, RI. Stanley Street Treatment and Resources employs more than 250 people and generates approximately $24 million in annual revenue.
The Stanley Street Treatment and Resources, Inc. breach leaked the sensitive data of more than 45,000 patients. According to the company’s data breach letter, patients’ “medical diagnosis and conditions information, medical treatment and medications information, and health insurance information” were among the compromised data. While SSTAR didn’t use the term, it appears as though the breach impacted the protected health information of affected patients.
Protected health information, often referred to as “PHI,” is demographic information, medical history information, test and laboratory results, mental health information, insurance information and other data collected by healthcare professionals during the course of treating a patient.
The collection and use of PHI are governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Of course, not all healthcare-related data is protected health information. For example, information that is not linked to any specific patient is not protected. Thus, in order for health information to be considered “protected,” it must contain at least one identifier. An identifier is another piece of information that someone can use to connect the data to a specific patient. Under HIPAA, there are 18 different identifiers, including:
Given that your healthcare is a very personal matter, any healthcare data breach is very concerning. However, aside from the privacy risks, there is also the possibility that patients suffer financial—and even physical—harm in the wake of an attack.
For example, hackers who obtain protected health information often attempt to sell the information to someone who then takes the information to the doctor, pretending to be the victim. This not only leaves the victim responsible for the bill but can also lead to misleading and incorrect information being added to their medical records. However, there are steps you can take to reduce the chances of falling victim to healthcare identity theft, as well as to hold the company that leaked your information financially accountable.
Stanley Street Treatment and Resources, Inc. is not the only healthcare provider to be targeted in a cyberattack. In fact, more than two million people have had their protected health information leaked in similar data breaches in 2022 alone. Given this reality, it is incredibly important victims of a healthcare data breach understand what is at risk and what their options are.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the SSTAR data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by Stanley Street Treatment and Resources, Inc. (the actual notice sent to consumers can be found here):
Between November 11, 2022 and November 22, 2022, Stanley Street Treatment and Resources, Inc. (“SSTAR”) is notifying individuals whose information may have been included in a recent data security incident. For individuals who have questions or need additional information regarding this incident, or to determine if they are impacted, SSTAR has established a dedicated toll-free response line at 1-800- 492-2729. The response line is available Monday through Friday, 8 a.m. to 5 p.m. Eastern Time.
The privacy and security of the personal information we maintain is of the utmost importance to Stanley Street Treatment and Resources, Inc. (“SSTAR”).
SSTAR determined that an unauthorized party removed a limited number of files from our system. Upon detecting the incident, we commenced an immediate and thorough investigation and alerted law enforcement. As part of our investigation, we engaged leading cybersecurity experts to identify what personal information, if any, might have been present in the impacted files.
After an extensive forensic investigation and manual document review, we discovered on September 26, 2022 that one or more of the files removed by the unauthorized party on October 14, 2021 contained personal information pertaining to a limited number of individuals, such as full names, Social Security numbers, government identification numbers, dates of birth, financial account information, dates of service, medical diagnosis and conditions information, medical treatment and medications information, and health insurance information.
SSTAR is not aware of any reports of identity fraud or improper use of personal information as a direct result of this incident. However, out of an abundance of caution, SSTAR is notifying individuals whose information may have been included in the files accessed by the unauthorized party. Notified individuals are being provided with best practices to protect their information, and individuals whose Social Security numbers were contained in the impacted files are being offered complimentary credit monitoring.
SSTAR is committed to maintaining the privacy of personal information in its possession and has taken many precautions to safeguard it. SSTAR continually evaluates and modifies its practices to enhance the security and privacy of the personal information it maintains.