Comstar to pay $515K to resolve state investigations after ransomware attack

State attorneys general allege the ambulance billing firm failed to maintain required safeguards after a ransomware incident.

What happened

Comstar, a Massachusetts-based ambulance billing and collections company, has agreed to pay $515,000 to resolve investigations by the Massachusetts and Connecticut following a ransomware attack that exposed protected health information. The investigation arose from a March 2022 cyber incident in which attackers accessed Comstar’s network, exfiltrated files, and encrypted systems. State officials alleged that the company failed to comply with HIPAA and state data security requirements, including maintaining an adequate written information security program.

Going deeper

Investigators found that Comstar had not conducted a detailed risk analysis to identify vulnerabilities affecting electronic protected health information. The compromised data included patient identifiers, government-issued identification numbers, financial details, and medical assessment information. More than half a million individuals were affected across multiple states. Federal regulators separately reviewed the incident and determined that Comstar’s security practices did not meet HIPAA standards for risk management, which resulted in a corrective action plan and additional oversight. State authorities focused on whether the company’s policies, technical controls, and employee safeguards were sufficient to prevent or limit the impact of the attack.

What was said

Connecticut Attorney General William Tong said the investigation found major security failures at Comstar. “Comstar failed to implement basic, necessary security measures, and as a result exposed the Social Security numbers, medical records, driver’s license numbers and financial information for hundreds of thousands of Connecticut and Massachusetts residents,” Tong said. He added that the settlement includes both a financial penalty and mandatory security improvements, stating that it “sends a clear message that Connecticut will continue to aggressively enforce our data security laws.”

Under the settlement, Comstar agreed to strengthen its security program, improve access controls, and undergo ongoing assessments. The company did not admit wrongdoing but agreed to the resolution to settle the investigations.

In the know

The state settlements are not the first time Comstar has faced enforcement tied to the same incident. In June, the company agreed to pay $75,000 to the U.S. Department of Health and Human Services and entered into a corrective action plan to address security gaps identified during the federal investigation. That earlier resolution focused on strengthening Comstar’s data security practices following the ransomware breach.

The big picture

As BankInfoSecurity points out, Comstar’s situation isn’t unusual. In healthcare, a single breach often doesn’t stop with one regulator. Companies find themselves dealing with both state attorneys general and federal enforcement over the same incident. A well-known example is Anthem Inc., which paid a then-record $16 million to HHS’ Office for Civil Rights in 2018, followed by another $48.2 million settlement with 42 state attorneys general two years later, after a 2014 cyberattack affected nearly 79 million people. Cases like these show how one security failure can lead to years of overlapping penalties, investigations, and costs, long after the breach itself is contained.

FAQs

Why are state attorneys general involved in HIPAA-related cases?

States can enforce both federal health privacy requirements and state-specific data security laws when resident data is affected.

What is a written information security program?

It is a formal framework that documents how an organization identifies risks, protects sensitive data, and responds to security incidents.

Does a settlement mean Comstar admitted fault?

No. Settlements typically resolve allegations without an admission of liability.

Why do regulators focus on risk analysis after breaches?

Risk analysis is required under HIPAA and helps organizations identify weaknesses before attackers exploit them.