Comstar to Settle Alleged HIPAA Violations for $515,000

The Massachusetts Attorney General is investigating Comstar, an ambulance billing and collections company in Massachusetts and determined to have failed to comply with the Massachusetts Data Security Regulations and the Health Insurance Portability and Accountability Act (HIPAA). Comstar is going to pay a $515,000 fine to settle the claimed violations.

Comstar’s investigation involved a March 2022 cyberattack resulting in a data breach. A cyber threat actor accessed its system, stole files, and deployed ransomware to encrypt data files on its network. Though Comstar discovered the attack on March 26, 2022, the threat actor accessed the system on March 19, 2026. Based on the forensic investigation, the ransomware group stole protected health information (PHI), such as names, driver’s license numbers, Social Security numbers, financial data, and medical evaluation details. The malware attack resulted in the compromise of the PHI of 585,621 individuals, which include 326,426 residents in Massachusetts and 22,829 residents in Connecticut.

The Department of Health and Human Services Office for Civil Rights (OCR) investigated Comstar in Rowley, Massachusetts and confirmed that it did not carry out a thorough and accurate risk analysis to determine risks and vulnerabilities that may affect the integrity, confidentiality, and availability of electronic protected health information (ePHI) kept inside its systems. Comstar resolved the supposed HIPAA violation by paying a $75,000 financial penalty and implementing a corrective action plan.

The Massachusetts Attorney General also started an investigation to take a look at Comstar’s compliance with HIPAA, the Massachusetts Data Security Regulations, the Massachusetts Consumer Protection Act, and the Massachusetts Data Security Regulation. The Massachusetts Attorney General and Connecticut Attorney General took part in the investigation. According to Massachusetts Attorney General Andrea Campbell, Comstar had violated the HIPAA and the Massachusetts Data Security Regulations by not keeping enough Written Information Security Program (WISP), which ought to have permitted the company to identify and correct vulnerabilities and insufficiencies in its data protection system.

On January 28, 2026, Comstar submitted the consent judgment in Suffolk Superior Court and awaits the court approval. In case approved, Massachusetts will get $415,000, and Connecticut will get $100,000. Aside from the financial penalty, Comstar needs to employ extra security options: a powerful WISP should be started and taken care of, multifactor authentication, an anti-phishing software program, an attack recognition/prevention system, and a security incident and event operations platform.

Comstar should also use and keep an extensive and accurate IT asset inventory, proper access controls, password policies necessitating strong unique passwords for creating accounts, ePHI encryption, data loss security software, a penetration testing program, and security application on all desktop and laptop computers. Comstar also need to request third-party yearly security evaluations for the following three years. The Connecticut and Massachusetts Attorneys General need the third-party examiner’s submitted reports about the results of each yearly security risk evaluation.

Image credit: Kornkanok, Adobestock

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

John Blacksmith

John Blacksmith is a journalist with several years experience in both print and online publications. John has specialised in Information technology in the healthcare sector and in particular in healthcare data security and privacy. His focus on healthcare data means he has specialist knowledge of the HIPAA regulations. John has a degree in journalism and many years experience.
Twitter
LinkedIn