Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com
Aris Home
Contact Us
Learn More

Comstar, a Business Associate fined $75K for Ransomware Attack

Posted bySuze Shaffer
Hacking dected

The Office for Civil Rights (OCR) has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates. Comstar, LLC (“Comstar”) meets the definition of “business associate” under 45 C.F.R. § 160.103 because it provides billing, collection, consulting, Electronic Patient Care Reporting (ePCR) hosting, and client/patient services for non-profit and municipal ambulance services.

History

On March 19, 2022, an unknown actor gained access to the electronic protected health information (“ePHI”) maintained on Comstar’s network servers. Comstar did not detect the intrusion until March 26, 2022, when its IT service vendor began receiving support tickets. It was determined ransomware was used to encrypt Comstar’s network servers and that the protected health information (“PHI”) of 585,621 individuals was affected.

HHS’ investigation indicated that the following conduct occurred:

  • Comstar failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information that it holds.

Resolution Agreement

  • Comstar has agreed to pay HHS $75,000 on the Effective Date of the Agreement.
  • Comstar agrees to comply with the Corrective Action Plan (“CAP”) and if they fail to cure the breach, then Comstar will be in breach of the Agreement and HHS will not be subject to the Release of the Agreement.
  • HHS does not release Comstar from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
  • The Agreement is binding on Comstar and its successors, heirs, transferees, and assigns.

Summary

This clearly demonstrates the authority HHS has in assessing fines for business associates. Ransomware affects all types of businesses, and an annual risk analysis helps to uncover vulnerabilities to prevent data breaches.

Every medical practice and business associate must have a documented risk analysis and risk management plan. This is not just for compliance, but to protect patients’ information, and the integrity of their operations.

At Aris Medical Solutions, our online HIPAA Keeper™ is an all in one secure, cloud-based system that helps healthcare providers and business associates simplify compliance by maintaining up-to-date policies, procedures, HIPAA training and documentation to meet every aspect of the HIPAA Privacy and Security Rules.

Protect your practice before an attack happens. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

View all posts by Suze Shaffer

Insider hacker

Baycare Health System fined $800K for Impermissible Access Exploited by a Malicious Insider

May 28, 2025
Network cybersecurity

Deer Oaks – The Behavioral Health Solution fined $225K

July 7, 2025
©2025 Aris Medical Solutions – HIPAA Keeper | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC