Ambulance Billing Firm Pays Feds $75K in Ransomware Breach | #ransomware | #cybercrime

See Also: OnDemand | Navigate the threat of AI-powered cyberattacks

The U.S. Department of Health and Human Services’ Office for Civil Rights said on Friday that it had reached the settlement with Comstar LLC following the agency’s investigation into the company’s hacking incident looking into potential HIPAA violations (see: Hacks Spotlight PHI Risks for Ambulance Cos Vendors).

HHS OCR found that Comstar failed to conduct a timely and thorough HIPAA security risk analysis – which for years has been an ongoing weakness among many of the covered entities and business associates that HHS OCR investigates and audits.

In fact, the Comstar settlement marks the ninth enforcement action by HHS OCR since the agency launched its risk analysis enforcement initiative in October 2024.

“Assessing the potential risks and vulnerabilities to electronically protected health information is effective cybersecurity, and a HIPAA Security Rule requirement,” said Anthony Archeval, HHS OCR acting director in a statement. “Failure to conduct a HIPAA risk analysis can cause healthcare entities to be more susceptible to cyberattacks.”

The Comstar case is also HHS OCR’s 13th enforcement action since launching another priority enforcement initiative – around ransomware – in October 2023 (see: Feds Levy First Ever HIPAA Fine for Ransomware Data Breach).

HHS OCR said it initiated an investigation into the matter after Comstar submitted a breach report on May 26, 2022, that an unknown actor had gained unauthorized access to Comstar’s network servers on March 19, 2022.

Comstar did not detect the intrusion until a week later, on March 26, when its IT service vendor began receiving support tickets, HHS OCR said.

The attackers encrypted Comstar’s network servers with ransomware, compromising the health information of 585,621 people, HHS OCR said. Information affected included individuals’ name, date of birth, medical assessment and medication administration, health insurance information, driver’s license, financial account information and Social Security number, according to Comstar’s breach notice.

At the time of the breach, Rowley, Mass.-based Comstar served as a business associate to more than 70 HIPAA-covered organizations, HHS OCR said. Comstar provides billing, collection, consulting, electronic patient care reporting hosting and client and patient services for nonprofit and municipal ambulance services.

Under the settlement, Comstar does not admit to any liability. Comstar did not immediately respond to Information Security Media Group’s request for comment on the settlement with HHS OCR.

The resolution agreement, says Comstar also must implement a corrective action plan to improve its data security and privacy. The company must:

• Conduct a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI;
• Develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities found in its risk analysis;
• Review and revise, as necessary, its written policies and procedures to comply with the HIPAA privacy, security and breach notification regulations;
• Implement those policies and procedures and distribute them to all workforce members;
• Provide HIPAA training materials to all workforce members who have access to ePHI within 30 days of the adoption of those policies and procedures.

The Comstar settlement is HHS OCR’s 16th HIPAA enforcement action so far in 2025, including six announced while the Biden administration was still in office.

Last week, HHS OCR also announced that BayCare, a Florida healthcare system, paid $800,000 and will implement a corrective action plan to settle a HIPAA investigation into a malicious insider incident involving a patient’s medical records in 2018 (see: Florida Health Systems Pays $800K for Insider Records Snooping).