07/09/2025

HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Comstar, LLC

Settlement Marks OCR’s 13th Ransomware Enforcement Action and 9th Enforcement Action in OCR’s Risk Analysis Initiative

The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced a settlement with Comstar, LLC (“Comstar”), a Massachusetts company that provides billing, collection, and related services.

OCR initiated an investigation after receiving Comstar’s breach report, dated May 26, 2022, that an unknown actor had gained unauthorized access to Comstar’s network servers on March 19, 2022. Comstar did not detect the intrusion until March 26, 2022. Ransomware was used to encrypt Comstar’s network servers and the ePHI of approximately 585,621 individuals was affected. At the time of the breach, Comstar was a business associate of over 70 HIPAA covered entities. The type of ePHI impacted was clinical, including medical assessments and medication administration information.

OCR’s investigation determined that Comstar failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI that it holds. 

Under the terms of the settlement, Comstar agreed to implement a corrective action plan that OCR will monitor for two years, and paid OCR $75,000. The corrective action plan requires Comstar to take definitive steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

• Conduct a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that Comstar holds;
• Develop a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
• Review and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules; and
• Train its workforce members who have access to PHI on its HIPAA policies and procedures.

OCR recommends that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:

• Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
• Integrate risk analysis and risk management into the organization’s business processes.
• Ensure that audit controls are in place to record and examine information system activity.
• Implement regular reviews of information system activity.
• Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
• Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
• Incorporate lessons learned from incidents into the organization’s overall security management process.
• Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

The TLD Systems HIPAA compliance tool will give your practice access to all of the necessary resources in order to follow all of the OCR recommendations for your practice.

For more information contact TLD Systems at:

Https://www.tldsystems.com

Email : info@tldsystems.com

Phone (631) 403 6687