Ambulance Billing Vendor Reaches Settlement With Connecticut Over Data Breach

HARTFORD, CT — Connecticut Attorney General William Tong and Massachusetts Attorney General Andrea Joy Campbell Thursday announced that their respective states have reached a $515,000 settlement with Comstar, LLC, a Massachusetts-based ambulance billing vendor, for "failing to safeguard sensitive patient information" during a March 2022 data breach that potentially affected the Social Security numbers, driver's license numbers, financial account numbers, and medical assessment information of approximately 326,426 Massachusetts residents and 22,829 Connecticut residents.

In March 2022, an "outside actor" accessed, encrypted, and held for ransom certain files and servers maintained by Comstar, Tong said. In May 2022, Comstar began mailing data breach notices to consumers on behalf of the various entities for which it conducts billing, he added.

"Comstar failed to implement basic, necessary security measures, and as a result exposed the Social Security numbers, medical records, driver’s license numbers and financial information for hundreds of thousands of Connecticut and Massachusetts residents. In addition to a significant monetary payment, our settlement requires Comstar to adopt strong security measures going forward and sends a clear message that Connecticut will continue to aggressively enforce our data security laws," Tong said.

The consent judgment, filed in Hartford Superior Court Thursday and which is awaiting court approval, resolves allegations that Comstar violated Connecticut and Massachusetts security and consumer protection laws and the Health Insurance Portability and Accountability Act, commonly known as HIPAA by failing to maintain an adequate Written Information Security Program (or WISP) to prevent the initial attack, Tong said.

When implemented, WISPs help to identify and assess reasonably foreseeable risks and evaluate and improve the effectiveness of existing safeguards, including proper employee training and compliance. Further, Comstar "failed to conduct regular risk assessments and failed to implement reasonable data retention, encryption, and access control policies and procedures," Tong said.

In addition to the monetary payment, Comstar will be required to implement phishing protection software, a vulnerability management program, multi-factor authentication, an asset inventory, an intrusion detection/prevention system, a security incident and event management platform, and security software for laptops and desktops on Comstar’s network.

In addition, Comstar will also be required to conduct a security assessment once per year for three years and transmit the findings of those reports to the Massachusetts and Connecticut AGs.