OCR Settles HIPAA Investigation with Comstar for $75,000
The HHS’ Office for Civil Rights (OCR) has announced another settlement to resolve an alleged violation of the risk analysis requirement of the HIPAA Security Rule. This is the 9th enforcement action under its risk analysis enforcement initiative, the 13th ransomware-related enforcement action to result in a financial penalty, and the 16th financial penalty of the year to resolve alleged HIPAA violations. Comstar, LLC, a Rowley, Massachusetts-based provider of billing, collection, and related services to non-profit and municipal emergency ambulance services, has agreed to pay a financial penalty of $75,000 to settle the alleged HIPAA violation.
OCR initiated an investigation following a May 26, 2022, report of a ransomware attack and data breach. The ransomware group gained access to files containing names, dates of birth, medical assessment and medication information, health insurance information, and Social Security numbers. The breach was reported to OCR by Comstar on behalf of some of its covered entity clients as involving the protected health information of 68,957 individuals. OCR’s investigation confirmed that at the time of the breach, Comstar had more than 70 HIPAA-covered entity clients, and in total, the protected health information of 585,621 individuals was compromised in the ransomware attack.
The attack was detected on March 26, 2022, when its IT services vendor started receiving support tickets; however, the ransomware group gained access to its network on March 19, 2022. OCR’s investigation determined that Comstar had failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) stored within its systems, in violation of 45 C.F.R. § 163.308(a)(l)(ii)(A) of the HIPAA Security Rule.
In addition to paying a financial penalty, Comstar has agreed to implement a corrective action plan and will be monitored for compliance for two years. The corrective action plan requires Comstar to conduct a risk analysis, develop and implement a risk management plan, update its policies and procedures to ensure HIPAA compliance, distribute those policies and procedures to the workforce, and provide HIPAA training on those policies.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“Assessing the potential risks and vulnerabilities to electronic protected health information is effective cybersecurity, and a HIPAA Security Rule requirement,” said Acting OCR Director Anthony Archeval. “Failure to conduct a HIPAA risk analysis can cause health care entities to be more susceptible to cyberattacks.”
