OCR Settlement with Comstar Spotlights Ransomware Liability and Risk Analysis Failures in HIPAA Compliance

The U.S. Department of Health and Human Services Office for Civil Rights has announced a $75,000 settlement with Comstar, LLC, a Massachusetts-based billing and revenue cycle company serving emergency ambulance providers, following a ransomware breach that exposed the electronic protected health information of nearly 586,000 individuals. The enforcement action, OCR’s thirteenth tied to a ransomware attack and ninth under its Risk Analysis Initiative, sends a pointed message: failure to conduct a thorough risk assessment leaves covered entities and business associates exposed not only to cybercriminals but also to federal penalties.

The breach, first reported in May 2022, involved unauthorized access to Comstar’s servers beginning on March 19 of that year. The intrusion went undetected for seven days, during which ransomware was deployed to encrypt servers containing sensitive clinical data, including medical assessments and medication administration records. At the time of the breach, Comstar functioned as a business associate to more than 70 HIPAA-covered entities. The investigation concluded that Comstar had not performed an accurate and thorough risk analysis, a core requirement under the HIPAA Security Rule.

Under the two-year corrective action plan that accompanies the settlement, Comstar must conduct a full-scale risk analysis of its systems and data assets, develop a risk management plan that specifically addresses the vulnerabilities identified, revise its HIPAA policies and procedures, and retrain its workforce on its compliance obligations. The complete resolution agreement and plan are publicly available.

This enforcement reinforces a growing federal expectation that business associates, not just covered entities, meet the full scope of HIPAA technical and administrative safeguards. OCR Acting Director Anthony Archeval emphasized that risk assessment is not a bureaucratic task, but a frontline cybersecurity defense. Organizations that skip or minimize this process leave themselves more vulnerable to attack and more likely to face regulatory consequences when breaches occur.

Ransomware has become the dominant threat vector for healthcare organizations. According to the HHS Office for Information Security, ransomware attacks against healthcare delivery organizations increased sharply between 2021 and 2023, exploiting weak credentialing, outdated software stacks, and unmonitored server environments. In many cases, attackers specifically target third-party vendors like Comstar, who often operate with less mature security programs but maintain privileged access to clinical and billing systems.

OCR is urging all HIPAA-regulated entities to revisit their security programs with a specific focus on identifying the location and flow of electronic protected health information, embedding risk analysis into operational workflows, enabling system-wide audit controls, and encrypting ePHI in transit and at rest. These are not aspirational goals. They are explicit HIPAA requirements that must be demonstrable in the event of an incident. Additional guidance and training resources can be found on OCR’s security compliance portal.

As enforcement actions expand, it is increasingly clear that the regulatory risk associated with ransomware extends beyond the breach itself. It encompasses the pre-breach posture of the organization, especially the existence and execution of a rigorous, up-to-date risk analysis process. For business associates like Comstar, that bar is no longer optional. It is a tested element of HIPAA compliance, and OCR is actively holding vendors to account.