HIPAA/HITECH,
Litigation,
Standards, Regulations & Compliance
Comstar Settles HIPAA Allegations with $75K Payment Related to 2022 Breach
In a significant resolution to ongoing regulatory scrutiny, ambulance billing firm Comstar has agreed to pay $515,000 to Massachusetts and Connecticut as part of a settlement concerning a 2022 ransomware incident that compromised sensitive data belonging to approximately 350,000 residents across New England. This payment will be divided, with Massachusetts receiving $415,000 and Connecticut $100,000, as confirmed by the attorneys general of both states.
The breach, which occurred in March 2022, resulted in unauthorized access to Comstar’s servers, leading to the encryption and extortion of critical files, including patient identifiers and health information. Specifics of the compromised data included patient names, birth dates, medical assessments, insurance details, driver’s licenses, financial information, and Social Security numbers. Such data exposure raises significant concerns about the potential exploitation of personal health information.
This latest settlement is not the first encounter Comstar has had with regulators regarding this breach. In June 2022, the company paid a $75,000 fine to the U.S. Department of Health and Human Services (HHS) and was mandated to implement a corrective action plan to enhance its data security measures. HHS indicated that the breach affected 70 of Comstar’s clients, impacting nearly 586,000 individuals nationwide due to inadequate risk analysis regarding HIPAA compliance.
As part of the agreements with state regulators, Comstar is required to institute a comprehensive information security program aimed at preventing similar future incidents. Key components of this program will incorporate advanced security measures, such as zero trust architecture, multi-factor authentication, encryption, and vulnerability management. Additionally, Comstar is tasked with limiting the retention of records to no more than two years in its live database, ensuring compliance with evolving regulatory standards.
The settlements are pending final judicial approval, which will allow the implemented security measures to evolve into concrete compliance strategies aimed at safeguarding sensitive health data. Comstar now joins a growing cohort of healthcare entities facing heightened regulatory oversight due to breaches, highlighting ongoing vulnerabilities in the industry.
Understanding the tactics reportedly leveraged in this cyberattack is crucial. The MITRE ATT&CK framework can offer insights into potential methods employed by adversaries, such as initial access techniques (like exploiting vulnerabilities), persistence in maintaining access to networks, and data encryption tactics. The ongoing scrutiny underscores an increasing trend where state attorneys general pursue aggressive enforcement of HIPAA violations, as indicated by the implications of the HITECH Act of 2009 and the HIPAA Omnibus Rule of 2013.
As the landscape of healthcare cybersecurity continues to evolve, entities like Comstar exemplify both the risks involved and the critical importance of robust data protection strategies, particularly as state and federal regulatory bodies intensify their enforcement actions.
