Comstar’s Alleged HIPAA Violations Settled for $515,000

by

Comstar LLC agreed to pay $515,000 to resolve allegations by the Massachusetts and Connecticut Attorneys General that the company failed to safeguard sensitive patient medical information in violation of state and federal law.

Massachusetts Attorney General Andrea Joy Campbell and Connecticut Attorney General William Tong announced the settlement with Comstar LLC, an ambulance billing vendor that provides billing services to ambulance companies and fire departments. The $515,000 settlement resolves allegations that Comstar failed to implement reasonable safeguards to protect sensitive patient medical information.

Nature Of The Allegations

The Attorneys General alleged that Comstar did not adequately secure patients’ protected health information during a cyberattack in March 2022. The data potentially stolen by threat actors included Social Security numbers, health records, financial data, and the driver’s license numbers of roughly 22,829 Connecticut residents and 326,426 Massachusetts residents.

Investigations revealed that Comstar did not have an acceptable Written Information Security Program (WISP) to avert the ransomware attack. WISPs help to recognize and evaluate foreseeable risks and assess the efficiency of safety measures. This program also includes guidelines for proper employee HIPAA training and compliance. Comstar also did not perform the standard risk assessments and implement proper data retention, encryption, and access control procedures. Hence, Comstar started mailing data breach notifications in May 2022 to clients on behalf of the affected entities.

Settlement Terms

Aside from paying the $515,000 settlement and penalty for the alleged violations of state and HIPAA laws, Comstar need to use phishing protection application, a vulnerability management system, MFA, an asset inventory, an attack sensor/prevention system, a security incident and event management program, and security application for laptops and desktops on Comstar’s system. A security assessment need to be conducted one time each year for three years and send the results of those reviews to the AGOs.

The enforcement action requires good communication between the Attorneys General of Massachusetts and Connecticut. Comstar agreed to pay to resolve the allegations without needing to go to court.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone