The U.S. Department of Health and Human Services settled with Comstar, LLC for $75,000 over a ransomware breach affecting 585,621 individuals.
What happened
On May 30, 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with Comstar, LLC, a Massachusetts-based company providing billing and collection services to non-profit and municipal emergency ambulance providers. The settlement resolves an OCR investigation into a ransomware attack that compromised the electronic protected health information (ePHI) of 585,621 individuals.
The breach, discovered in March 2022, involved unauthorized access to Comstar’s network servers and encryption of sensitive health data. As part of the settlement, Comstar agreed to a $75,000 penalty and a two-year corrective action plan monitored by OCR. The plan includes conducting a comprehensive risk analysis, developing a risk management plan, updating policies to meet HIPAA requirements, and providing workforce training on protecting health information.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
The backstory
Comstar, acting as a business associate to more than 70 HIPAA-covered entities, reported that an unknown actor gained unauthorized access to its network on March 19, 2022, but the intrusion was not detected until March 26. The ransomware attack encrypted network servers containing clinical ePHI, including medical assessments and medication administration details.
OCR’s investigation found that Comstar failed to conduct an accurate and thorough risk analysis to identify vulnerabilities in its protection of ePHI. This lapse increased the risk of cyberattacks and ultimately led to the breach affecting over half a million individuals.
What was said
According to a press release by the HHS, acting OCR Director Anthony Archeval said: “Assessing the potential risks and vulnerabilities to electronic protected health information is effective cybersecurity, and a HIPAA Security Rule requirement.” Furthermore, he noted that “Failure to conduct a HIPAA risk analysis can cause health care entities to be more susceptible to cyberattacks.”
In the know
A risk analysis is a systematic process that healthcare organizations and their business associates use to identify and evaluate potential threats and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). It is a HIPAA Security Rule requirement that helps organizations understand where their security gaps lie and prioritize actions to reduce risks. Conducting a thorough risk analysis enables proactive protection against data breaches and cyberattacks, ensuring that sensitive patient information remains secure and compliance obligations are met.
Why it matters
This settlement demonstrates the need for rigorous risk assessments and proactive cybersecurity measures for all entities handling sensitive health information. With ransomware attacks on the rise, failure to identify and address vulnerabilities can have significant consequences, exposing hundreds of thousands of patients’ personal health data and undermining trust in healthcare organizations.
Go deeper: Ransomware now leads all healthcare data breaches
FAQS
What is ransomware?
Ransomware is malicious software that infects a computer or network, encrypting data and blocking access until a ransom is paid to the attacker. It can cause significant disruption, especially in healthcare organizations handling sensitive patient data.
Why is ransomware a major concern for healthcare organizations?
Healthcare organizations store vast amounts of sensitive patient information. A ransomware attack can lead to data loss, disrupt medical services, expose private health information, and result in hefty fines for non-compliance with HIPAA regulations.
Tshedimoso Makhene
