Comstar LLC Settles with State and Federal Regulators Over 2022 Ransomware Breach
In a significant enforcement action, ambulance billing firm Comstar LLC has reached settlement agreements with the Attorneys General of Massachusetts and Connecticut, as well as the U.S. Department of Health and Human Services (HHS), over a 2022 ransomware attack that exposed the protected health information (PHI) of 585,621 individuals. The incident, disclosed on March 25, 2022, involved unauthorized access, encryption, and exfiltration of sensitive data, including names, Social Security numbers, driver’s license details, financial account information, and medical records.
Key Findings and Violations
HHS’s investigation determined that Comstar failed to conduct a thorough risk assessment of its electronic PHI, violating HIPAA Security Rule requirements. The breach impacted over 320,000 Massachusetts residents and 22,000 Connecticut residents, prompting state-level enforcement under the HITECH Act, which grants state regulators authority to enforce HIPAA.
Settlement Terms and Financial Penalties
- HHS Settlement (May 30, 2025): Comstar agreed to a corrective action plan, including:
- Developing an inventory of PHI assets
- Conducting a risk analysis and management plan
- Revising HIPAA compliance policies
- State Settlements (January 28, 2026):
- Massachusetts: $415,000 fine + enhanced security requirements
- Connecticut: $100,000 fine + similar compliance measures
- Combined state penalties ($515,000) exceeded HHS’s settlement by nearly seven times, highlighting the growing role of state regulators in HIPAA enforcement.
Cybersecurity and Privacy Mandates
The settlements imposed strict cybersecurity and data governance reforms, including:
- Encryption of PHI at rest and in transit
- Annual risk assessments and penetration testing
- Multi-factor authentication (MFA) for all user and admin accounts
- Zero-trust architecture and a Written Information Security Program (WISP)
- Appointment of a Chief Information Security Officer (CISO) to oversee compliance
- Enhanced monitoring (SIEM, EDR, DLP, email filtering)
- Data minimization and archiving policies, requiring Comstar to move older records to offline storage (e.g., archiving patient data after two years unless legally required otherwise)
- Expanded employee training on privacy and security, including specialized instruction for IT staff
Regulatory Trends and Implications
The settlements reflect increased scrutiny from both federal and state regulators, with state enforcers imposing stricter penalties and more prescriptive security measures than HHS. The focus on data minimization, archiving, and zero-trust security signals a shift toward more nuanced information governance, where regulators expect organizations to limit data retention and secure older records to reduce breach risks.
Comstar’s case underscores the dual enforcement risk for HIPAA-covered entities, as state regulators continue to coordinate with federal agencies while imposing additional financial and operational burdens. The settlements serve as a benchmark for compliance, particularly in healthcare-adjacent sectors, where PHI protection remains a top regulatory priority.
Comstar, LLC cybersecurity rating report: https://www.rankiteo.com/company/comstar-llc
"id": "COM1772800673",
"linkid": "comstar-llc",
"type": "Ransomware",
"date": "1/2022",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '585,621 individuals (320,000 '
'Massachusetts residents, 22,000 '
'Connecticut residents)',
'industry': 'Healthcare',
'location': 'United States',
'name': 'Comstar LLC',
'type': 'Ambulance billing firm'}],
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'data_exfiltration': 'Yes',
'number_of_records_exposed': '585,621',
'personally_identifiable_information': 'Names, Social '
'Security numbers, '
'driver’s license '
'details, financial '
'account information',
'sensitivity_of_data': 'High (PHI, SSNs, driver’s license '
'details, financial data)',
'type_of_data_compromised': 'Protected health information '
'(PHI), personally identifiable '
'information (PII), financial '
'account information, medical '
'records'},
'date_detected': '2022-03-25',
'date_publicly_disclosed': '2022-03-25',
'description': 'In a significant enforcement action, ambulance billing firm '
'Comstar LLC has reached settlement agreements with the '
'Attorneys General of Massachusetts and Connecticut, as well '
'as the U.S. Department of Health and Human Services (HHS), '
'over a 2022 ransomware attack that exposed the protected '
'health information (PHI) of 585,621 individuals. The incident '
'involved unauthorized access, encryption, and exfiltration of '
'sensitive data, including names, Social Security numbers, '
'driver’s license details, financial account information, and '
'medical records.',
'impact': {'data_compromised': 'Protected health information (PHI), names, '
'Social Security numbers, driver’s license '
'details, financial account information, '
'medical records',
'financial_loss': '$515,000 (state fines) + $415,000 '
'(Massachusetts) + $100,000 (Connecticut)',
'identity_theft_risk': 'High (exposure of SSNs, driver’s license '
'details)',
'legal_liabilities': 'HIPAA Security Rule violations, HITECH Act '
'enforcement',
'payment_information_risk': 'High (exposure of financial account '
'information)'},
'investigation_status': 'Settled',
'lessons_learned': 'The incident highlights the importance of conducting '
'thorough risk assessments, implementing encryption for '
'PHI, adopting zero-trust architecture, and adhering to '
'data minimization and archiving policies to reduce breach '
'risks. It also underscores the dual enforcement risk from '
'federal and state regulators.',
'post_incident_analysis': {'corrective_actions': 'Developed an inventory of '
'PHI assets, conducted a '
'risk analysis and '
'management plan, revised '
'HIPAA compliance policies, '
'implemented encryption, '
'MFA, zero-trust '
'architecture, and enhanced '
'monitoring',
'root_causes': 'Failure to conduct a thorough risk '
'assessment of electronic PHI, '
'violating HIPAA Security Rule '
'requirements'},
'ransomware': {'data_encryption': 'Yes', 'data_exfiltration': 'Yes'},
'recommendations': ['Conduct annual risk assessments and penetration testing',
'Implement multi-factor authentication (MFA) for all user '
'and admin accounts',
'Adopt zero-trust architecture and a Written Information '
'Security Program (WISP)',
'Appoint a Chief Information Security Officer (CISO)',
'Enhance monitoring with SIEM, EDR, DLP, and email '
'filtering',
'Enforce data minimization and archiving policies (e.g., '
'move older records to offline storage)',
'Provide expanded employee training on privacy and '
'security, including specialized IT staff training'],
'references': [{'source': 'U.S. Department of Health and Human Services '
'(HHS)'},
{'source': 'Attorney General of Massachusetts'},
{'source': 'Attorney General of Connecticut'}],
'regulatory_compliance': {'fines_imposed': '$515,000 (state fines), $415,000 '
'(Massachusetts), $100,000 '
'(Connecticut)',
'legal_actions': 'Corrective action plan, risk '
'analysis and management plan, '
'HIPAA compliance policy revisions',
'regulations_violated': ['HIPAA Security Rule',
'HITECH Act'],
'regulatory_notifications': 'HHS, Attorneys General '
'of Massachusetts and '
'Connecticut'},
'response': {'enhanced_monitoring': 'SIEM, EDR, DLP, email filtering',
'remediation_measures': 'Encryption of PHI at rest and in '
'transit, multi-factor authentication '
'(MFA), zero-trust architecture, '
'enhanced monitoring (SIEM, EDR, DLP, '
'email filtering), data minimization and '
'archiving policies'},
'title': 'Comstar LLC Settles with State and Federal Regulators Over 2022 '
'Ransomware Breach',
'type': 'Ransomware'}