Rules Navigator

HHS settles with Comstar over cyber risk analysis failures

Police car lights at night in city with selective focus and bokeh.
Photo: Jun Li/Getty Images

Alexander Barzacanos

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

An investigation found that lapses in risk assessment contributed to a massive ransomware breach at the ambulance billing service.

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced a $75,000 settlement with ambulance collection and billing service provider Comstar over a 2022 ransomware breach that compromised the clinical data of nearly 600,000 individuals.

As part of the settlement, the company also agreed to undertake a corrective action plan (CAP) and undergo a two-year monitoring period by HHS to ensure compliance.

HHS OCR has the authority to conduct compliance investigations of complaints alleging violations of HIPAA’s Privacy, Security, and Breach Notification Rules. As a business associate providing services to HIPPA-covered entities, Comstar was bound by those rules.

Threat analysis lapse

The alleged violations arise from a cyber breach that occurred on March 19, 2022, where an unknown threat actor accessed Comstar’s systems and used ransomware to encrypt its network servers. The breach was detected a week later, on March 26, and was reported to HHS two months later, on May 26. Affected data included medical assessments and medication administration information.

HHS OCR found that Comstar failed to adhere to HIPAA’s Security rule, which protects electronic personal health information (ePHI.)

And HHS said Comstar failed to “to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information that it holds,” although further information about the breach and its causes remains undisclosed.  

At the time, Comstar was a business associate of 70 HIPAA-covered entities, performing billing, collection, consulting, Electronic Patient Care Reporting (ePCR) hosting, and client-patient services for non-profit and municipal ambulance services.

Corrective action plan responsibilities

As part of the settlement’s Corrective Action Plan, Comstar agreed to undertake the following remedial actions:

  • “Conduct a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that Comstar holds.
  • “Develop a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis.
  • “Review and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules.
  • “Train its workforce members who have access to PHI on its HIPAA policies and procedures.”

As part of the creation of a risk analysis plan, Comstar must develop a complete inventory of its facilities, electronic equipment, data systems, and applications that create, store, transmit, or receive ePHI, for review by HHS.

Comstar must also include, at a minimum, policies and procedures aimed at maintaining compliance with the following sections of the Security Rule:

  • Security Management Process;
  • Information Access Management;
  • Security Awareness and Training;
  • Security Incident Procedures.

Further, the policies and procedures must address the following provision of the Breach Notification Rule:

  • Notification by a Business Associate.

The settlement did not require Comstar to admit liability.

The settlement continues the Trump administration’s pattern of aggressive cybersecurity breach enforcement. However, the settlement that Comstar agreed to was mild relative to some recent eye-watering actions brought under the False Claims Act.

, , ,

You may also like