HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Comstar, LLC

Settlement Marks OCR’s 13^th Ransomware Enforcement Action and 9^th Enforcement Action in OCR’s Risk Analysis Initiative

Today, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced a settlement with Comstar, LLC (“Comstar”), a Massachusetts company that provides billing, collection, and related services to non-profit and municipal emergency ambulance services, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an OCR investigation concerning a ransomware breach that affected 585,621 individuals.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates – such as Comstar – must follow to protect the privacy and security of protected health information (PHI). The Risk Analysis provision of the Security Rule requires a regulated organization to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by that organization.

“Assessing the potential risks and vulnerabilities to electronic protected health information is effective cybersecurity, and a HIPAA Security Rule requirement,” said Acting OCR Director Anthony Archeval. “Failure to conduct a HIPAA risk analysis can cause health care entities to be more susceptible to cyberattacks.”

OCR initiated an investigation after receiving Comstar’s breach report, dated May 26, 2022, that an unknown actor had gained unauthorized access to Comstar’s network servers on March 19, 2022. Comstar did not detect the intrusion until March 26, 2022. Ransomware was used to encrypt Comstar’s network servers and the ePHI of approximately 585,621 individuals was affected. At the time of the breach, Comstar was a business associate of over 70 HIPAA covered entities. The type of ePHI impacted was clinical, including medical assessments and medication administration information. OCR’s investigation determined that Comstar failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI that it holds. 

Under the terms of the settlement, Comstar agreed to implement a corrective action plan that OCR will monitor for two years, and paid OCR $75,000. The corrective action plan requires Comstar to take definitive steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

• Conduct a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that Comstar holds;
• Develop a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
• Review and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules; and
• Train its workforce members who have access to PHI on its HIPAA policies and procedures.

OCR recommends that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:

• Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
• Integrate risk analysis and risk management into the organization’s business processes.
• Ensure that audit controls are in place to record and examine information system activity.
• Implement regular reviews of information system activity.
• Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
• Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
• Incorporate lessons learned from incidents into the organization’s overall security management process.
• Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hhs-hipaa-agreement-comstar/index.html 

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of individuals’ protected health information. Please see OCR’s guidance and webinar, links to an external website, opens in a new tab on the HIPAA Security Rule Risk Analysis requirement. Guidance about the Privacy, Security, and Breach Notification Rules can also be found on OCR’s website.

If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.

Follow HHS OCR on X (formerly Twitter) at @HHSOCR.