A Massachusetts-based ambulance billing company has agreed to pay federal regulators a $75,000 penalty and implement a corrective action plan following a 2022 ransomware breach that affected about 70 clients and nearly 586,000 people. The U.S. Department of Health and Human Services' Office for Civil Rights said on 30 June 2025 that it had reached the settlement with Comstar LLC following the agency's investigation into the company's hacking incident looking into potential HIPAA violations. HHS OCR found that Comstar failed to conduct a timely and thorough HIPAA security risk analysis - which for years has been an ongoing weakness among many of the covered entities and business associates that HHS OCR investigates and audits.
The Comstar settlement marks the ninth enforcement action by HHS OCR since the agency launched its risk analysis enforcement initiative in October 2024. "Assessing the potential risks and vulnerabilities to electronically protected health information is effective cybersecurity, and a HIPAA Security Rule requirement,” said Anthony Archeval, HHS OCR acting director in a statement. "Failure to conduct a HIPAA risk analysis can cause healthcare entities to be more susceptible to cyberattacks." The Comstar case is also HHS OCR's 13th enforcement action since launching another priority enforcement initiative around ransomware in October 2023
HHS OCR said it initiated an investigation into the matter after Comstar submitted a breach report on 26 May 2022, that an unknown actor had gained unauthorized access to Comstar's network servers on March 19, 2022. Comstar did not detect the intrusion until a week later, on 26 March 2022, when its IT service vendor began receiving support tickets, HHS OCR said.
The attackers encrypted Comstar's network servers with ransomware, compromising the health information of 585,621 people, HHS OCR said. Information affected included individuals' name, date of birth, medical assessment and medication administration, health insurance information, driver's license, financial account information and Social Security number, according to Comstar's breach notice. At the time of the breach, Rowley, Mass. based Comstar served as a business associate to more than 70 HIPAA-covered organizations, HHS OCR said. Comstar provides billing, collection, consulting, electronic patient care reporting and client and patient services for nonprofit and municipal ambulance services.
Under the settlement, Comstar does not admit to any liability. The resolution agreement, says Comstar also must implement a corrective action plan to improve its data security and privacy. The company must:
- Conduct a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI;
- Develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities found in its risk analysis.
- Review and revise, as necessary, its written policies and procedures to comply with the HIPAA privacy, security and breach notification regulations.
- Implement those policies and procedures and distribute them to all workforce members.
- Provide HIPAA training materials to all workforce members who have access to ePHI within 30 days of the adoption of those policies and procedures.
The Comstar settlement is HHS OCR's 16th HIPAA enforcement action so far in 2025. During June 2025, HHS OCR also announced that BayCare, a Florida healthcare system, paid $800,000 and will implement a corrective action plan to settle a HIPAA investigation into a malicious insider incident involving a patient's medical records in 2018
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments