Here’s your reminder that if federal regulators like HHS OCR don’t investigate and penalize you after a data breach involving patient data, state attorneys general may, and class-action lawyers may also come after you in federal or state courts. In some cases, like this one, federal, state, and class-action lawyers may all come after you — for money and for corrective action plans.
And all that, of course, is separate from ransomware gangs demanding large sums for decryption keys or to supposedly delete all the data they exfiltrated.
In May 2022, ambulance billing service Comstar, LLC announced it was notifying patients whose personal and protected health information (PHI) had been encrypted in a ransomware attack in March. On April 21, Comstar discovered that PHI was involved, and on May 25, 2022, they notified HHS that 68,957 patients had been affected. Many of their 70 affected clients may have done their own notification, however, because when HHS OCR investigated, they learned that a total of approximately 585,621 patients had been affected.
Comstar’s breach involved patients serviced over a 10-year period by town and local fire department emergency medical services as well as private organizations. And some of the affected providers were not even Comstar clients at the time of the breach. As Spaulding Rehabilitation explained in its August 2022 notification to its affected patients:
Comstar is a previous ambulance billing vendor used by Spaulding Rehabilitation Hospital d/b/a Spaulding Ambulance. Spaulding Ambulance has not used Comstar for any services since 2016. Spaulding Ambulance recently learned that suspicious activity was identified in Comstar’s environment. Spaulding Ambulance received information from Comstar that individuals served by Spaulding Ambulance were involved in Comstar’s incident on July 12, 2022. This incident occurred solely at Comstar and did not involve systems from either Spaulding Rehabilitation Hospital or Spaulding Ambulance.
That Comstar had retained data for six years is not surprising, nor necessarily improper or illegal. It may be perfectly appropriate, as HIPAA requires retention for at least six years, and states may require even longer. But it would appear that data from former clients was not effectively segmented, encrypted, and disconnected from the internet by the time of the cyberattack.
In May 2025, HHS OCR announced they had settled with Comstar for $75,000 and a corrective action plan. They summarized the incident:
Comstar did not detect the [March 19] intrusion until March 26, 2022. Ransomware was used to encrypt Comstar’s network servers and the ePHI of approximately 585,621 individuals was affected. At the time of the breach, Comstar was a business associate of over 70 HIPAA covered entities. The type of ePHI impacted was clinical, including medical assessments and medication administration information. OCR’s investigation determined that Comstar failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI that it holds.
Now, Connecticut and Massachusetts have announced that they, too, have settled charges against Comstar. From Connecticut Attorney General William Tong’s press release of January 28:
Attorney General William Tong and Massachusetts Attorney General Andrea Joy Campbell today announced that Connecticut and Massachusetts have reached a $515,000 settlement with Comstar, LLC, a Massachusetts-based ambulance billing vendor, for failing to safeguard sensitive patient information during a March 2022 data breach that potentially affected the Social Security numbers, driver’s license numbers, financial account numbers, and medical assessment information of approximately 326,426 Massachusetts residents and 22,829 Connecticut residents.
The monetary penalty the states imposed was significantly greater than what HHS OCR settled for. As with the federal settlement, the state attorneys general settlement not only imposed a monetary penalty but it also includes a very detailed corrective action plan in the consent judgment. The settlement is awaiting court approval. As summarized in the press release:
In addition to the monetary payment, Comstar will be required to implement phishing protection software, a vulnerability management program, multi-factor authentication, an asset inventory, an intrusion detection/prevention system, a security incident and event management platform, and security software for laptops and desktops on Comstar’s network. In addition, Comstar will also be required to conduct a security assessment once per year for three years and transmit the findings of those reports to the Massachusetts and Connecticut AGOs.
A comparison of the corrective plans for the HHS OCR settlement and state settlement reveals somewhat different requirements, with the state plan being specific about some security controls.
And then there were the class-action suits.
On July 12, 2022, the first of several potential class-action lawsuits were filed in federal court in Massachusetts, with Greg Davis as the lead plaintiff. In December 2022, the consolidated cases settled with Comstar, and the consolidated complaint was dismissed without prejudice. Terms of that settlement have not been made public.
Because not all states have public dockets, DataBreaches has not been able to determine how many potential class-action lawsuits in state courts were filed (if any), and how many might be pending, or if there is no pending litigation.
But if there are any take-home messages from this incident, it should be to remind entities of the importance of an accurate, thorough, and updated risk assessment with appropriate access controls and storage controls for various types of data.