The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has announced a settlement with Comstar, LLC, a Massachusetts-based billing and collection service provider for non-profit and municipal ambulance services. The settlement addresses potential violations of the HIPAA Security Rule following a ransomware attack that exposed the electronic protected health information (ePHI) of 585,621 individuals.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which outline the obligations of covered entities (such as health plans, healthcare providers, and clearinghouses) and business associates like Comstar to safeguard the privacy and security of protected health information (PHI). One key requirement under the Security Rule is the need for a thorough risk analysis to identify and address potential vulnerabilities to ePHI.

“Assessing risks and vulnerabilities to ePHI isn’t just good cybersecurity practice—it’s required under HIPAA,” said Acting OCR Director Anthony Archeval. “Organizations that fail to conduct risk analyses leave themselves more exposed to cyberattacks.”

Details of the Breach and OCR’s Findings

Comstar reported a data breach to OCR on May 26, 2022, revealing that an unauthorized party had accessed its network servers on March 19, 2022. The breach went undetected until March 26, during which time ransomware was used to encrypt systems containing sensitive ePHI. At the time of the incident, Comstar was serving as a business associate for more than 70 HIPAA-covered entities.

The exposed data included clinical information, such as medical assessments and medication administration records. OCR’s investigation found that Comstar had failed to conduct a comprehensive risk analysis to assess the threats and vulnerabilities to the ePHI in its possession.

Terms of the Settlement

As part of the settlement, Comstar agreed to pay $75,000 to OCR and implement a Corrective Action Plan (CAP) that will be monitored for two years. Under this plan, Comstar must:

  • Conduct a complete and thorough risk analysis of potential vulnerabilities to the confidentiality, integrity, and availability of ePHI.

  • Develop and implement a risk management plan to address findings from the analysis.

  • Review and revise, as needed, its HIPAA policies and procedures, ensuring they align with the HIPAA Privacy, Security, and Breach Notification Rules.

  • Provide HIPAA training to all workforce members who handle PHI.

OCR’s Recommendations to Prevent Cybersecurity Breaches

OCR urges all HIPAA-covered entities and business associates to take proactive steps to protect ePHI from cyber threats, including:

  • Map the flow of ePHI within the organization, from entry to exit across all systems.

  • Integrate risk analysis and mitigation into everyday business operations.

  • Use audit controls to log and monitor system activity.

  • Perform routine reviews of information system usage.

  • Authenticate users to ensure only authorized personnel can access ePHI.

  • Encrypt ePHI both in transit and at rest where appropriate.

  • Apply lessons from past incidents to strengthen cybersecurity strategies.

  • Deliver customized HIPAA training based on job roles and responsibilities.

For more details, view the official resolution agreement and corrective action plan at:
🔗 HHS HIPAA Resolution with Comstar