Comstar to Pay State AGs $515,000 to Settle Alleged HIPAA Violations
Comstar, a Massachusetts-based ambulance billing and collections company, has been investigated by the Massachusetts Attorney General and found to have violated the Health Insurance Portability and Accountability Act (HIPAA) and the Massachusetts Data Security Regulations. Comstar will pay a $515,000 penalty to resolve the alleged violations.
Comstar was investigated over a March 2022 cyberattack and data breach. A cyber threat actor breached its network, exfiltrated files, and used ransomware to encrypt data on its network. While the attack was detected on March 26, 2022, the ransomware group gained access to its network on March 19, 2026. The forensic investigation confirmed that protected health information (PHI) had been stolen, including names, Social Security numbers, driver’s license numbers, financial information, and medical assessment information. The PHI of 585,621 individuals was compromised in the ransomware attack, including 326,426 Massachusetts residents and 22,829 Connecticut residents.
The Rowley, Massachusetts-based company faced an investigation by the Department of Health and Human Services Office for Civil Rights (OCR), which determined that Comstar failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) stored within its systems. The alleged HIPAA violation was resolved with a $75,000 financial penalty and a corrective action plan.
An investigation was also launched by the Massachusetts Attorney General to assess whether Comstar had complied with HIPAA, the Massachusetts Consumer Protection Act, the Massachusetts Data Security Regulations, and the Massachusetts Data Security Law. The Connecticut Attorney General partnered with the Massachusetts Attorney General in the investigation. Massachusetts Attorney General Andrea Campbell alleged that Comstar had violated HIPAA and the Massachusetts Data Security Regulations by failing to maintain an adequate Written Information Security Program (WISP), which should have allowed the company to identify and correct vulnerabilities and inadequacies in its data security program.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The consent judgment was filed in Suffolk Superior Court on January 28, 2026, and awaits approval from the court. If approved, Massachusetts will receive $415,000, and Connecticut will received $100,000. In addition to the financial penalty, Comstar is required to implement additional security measures. An effective WISP must be established and maintained, as well as anti-phishing software, multifactor authentication, an intrusion detection/prevention system, and a security incident and event management platform.
Comstar must also implement and maintain a comprehensive and accurate IT asset inventory, appropriate access controls, password policies requiring strong unique passwords for all accounts, encryption for ePHI at rest and in transit, data loss protection software, a penetration testing program, and security software on all laptop and desktop computers. Comstar must also arrange for third-party annual security assessments to be conducted for the next three years. The Massachusetts and Connecticut Attorneys General require reports to be submitted by the third-party assessor on the findings of each annual security risk assessment.
