The HHS’ Office for Civil Rights (OCR) has reported reaching a settlement with Comstar, LLC regarding an alleged non-compliance with the HIPAA Security Rule’s risk analysis requirement. This is the OCR’s 9th enforcement action associated with the risk analysis enforcement initiative, the 13th enforcement action involving ransomware, and the 16th financial penalty issued this 2025 to settle alleged HIPAA violations. Comstar, LLC based in Rowley, Massachusetts provides non-profit and municipal emergency ambulance services with billing, collection, and related services. The company has decided to pay a $75,000 financial penalty to resolve the alleged HIPAA violation.
OCR started investigating Comstar after the submission of a ransomware attack and data breach report on May 26, 2022. The ransomware group acquired access to records that contain names, birth dates, medical evaluation and medication data, medical insurance details, and Social Security numbers. Comstar reported the breach to OCR on behalf of several HIPAA-covered entity clients indicating that 68,957 individuals’ protected health information (PHI) was affected. OCR’s investigation affirmed that when the breach happened, Comstar had over 70 HIPAA-covered entity clients, and the PHI of 585,621 people was exposed in the cyberattack.
Comstar discovered the ransomware attack on March 26, 2022 because of the support tickets received by its IT services vendor. However, the ransomware group started getting access to systems on March 19, 2022. Based on OCR’s investigation, Comstar failed to perform a detailed and appropriate risk analysis to determine risks and vulnerabilities to the integrity, confidentiality, and availability of electronic protected health information (ePHI) saved inside its systems, which violates the HIPAA Security Rule 45 C.F.R. § 163.308(a)(l)(ii)(A).
Besides agreeing to pay a financial penalty, Comstar will adopt a corrective action plan. OCR will monitor the implementation to ensure compliance for two years. The corrective action plan demands that Comstar perform a risk analysis, create and employ a risk management program, revise its guidelines and procedures to ascertain HIPAA compliance, circulate those guidelines and procedures to the employees, and offer HIPAA training regarding those guidelines.
Evaluating ePHI risks and vulnerabilities is important to cybersecurity and compliance with the HIPAA Security Rule. Inability to execute a HIPAA risk analysis can result in the susceptibility of healthcare entities to cyberattacks.