Data Protection Report

Earlier this year, the Attorneys General of Massachusetts and Connecticut entered into settlement agreements with Comstar, LLC, an ambulance billing firm, relating to alleged HIPAA regulation violations in connection with a ransomware incident.  Comstar is a business associate under HIPAA, and state regulators are authorized to enforce HIPAA under the authority granted by the Health Information Technology for Clinical and Economic Health (HITECH) Act.  Comstar agreed to pay the Massachusetts Attorney General $415,000 and the Connecticut Attorney General $100,000 as part of the settlements, which also included detailed requirements to enhance Comstar’s information security program.  These settlement agreements with state regulators follow Comstar’s agreement with the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS) last year on May 30, 2025, related to the same event.  Each of the agreements specifically state that the terms of the settlement are not an admission of liability or wrongdoing by Comstar.

Although companies are generally aware of the potential for federal enforcement under HIPAA, companies should also consider the additional risks posed by state regulators enforcing the HIPAA Privacy and Security Rules. Additionally, the Massachusetts and Connecticut settlements demonstrate that state regulators may seek additional fines and requirements beyond those imposed by HHS.  Together, these actions underscore the continued regulatory scrutiny HIPAA-covered companies face from both federal and state regulators in what appear to be coordinated state enforcement actions following the HHS settlement last May.

Background

Comstar experienced a ransomware incident in 2022, which involved unauthorized access, encryption, and exfiltration of the company’s files.  Comstar’s forensic investigation confirmed that the threat actor obtained personal information and Protected Health Information (PHI), including names, dates of birth, Social Security numbers (SSN), driver’s license numbers, financial account numbers, health insurance information, and medical assessment information.  The company disclosed the incident on March 25, 2022, when it provided notification letters to affected individuals.  In total, the incident affected the information of 585,621 individuals, including more 320,000 Massachusetts residents and more than 22,000 Connecticut residents.  According to HHS’ investigation, Comstar violated requirements to conduct an accurate and thorough risk assessment related to electronic PHI that it holds. 

Cybersecurity Requirements

The May 2025 HHS settlement includes a corrective action plan agreed to by Comstar that requires it to develop a detailed inventory of physical and virtual assets used to collect and process PHI; conduct a risk analysis and prepare a risk management plan as it relates to the confidentiality, integrity, and availability of PHI in Comstar’s environment; and revise Comstar’s procedures and policies to comply with the HIPAA Privacy and Security Rules, and Breach Notification Rules.

In comparison, the January 28, 2026 settlements between Comstar and the Attorneys General of Massachusetts and Connecticut include more prescriptive requirements and detail many of the measures that organizations often consider implementing to strengthen their cybersecurity program, including the following steps:

• Use of encryption for personal information and PHI at rest and in transit.
• Conduct annual risk assessments and penetration testing, and implement remediation measures accordingly.
• Deploy multi-factor authentication (MFA) for individual user accounts, system administrator accounts, and remote connections to the company’s network.
• Enhance the cybersecurity program maturity by developing a Written Information Security Program (WISP), and adopting a zero-trust architecture.
• Appointing a Chief Information Security Officer (CISO) responsible for maintaining the information security program and advising the CEO on the program, including reporting to the CEO on security risks faced by Comstar on at least a semi-annual basis.
• Implement improved security controls, including through access control policies, password management, security monitoring (e.g., SIEM), email filtering, phishing protection, antivirus, data loss prevention (DLP) tools, and endpoint security (e.g., EDR).

Privacy & Information Governance Requirements

The settlement agreements with the state regulators also required a number of measures meant to reinforce Comstar’s privacy and data minimization practices.  In addition to notifying its employees of the consent order’s requirements, Comstar must provide specialized training to employees responsible for implementing the company’s information security program.  This training is required to cover how to safeguard and protect personal information.

Additionally, the settlement agreements expand the scope of the security awareness and privacy training required for all personnel with access to personal information as defined under state law, rather than solely personnel with access to PHI as planned under the settlement with HHS.  The state regulators expect Comstar to provide this training within 90 days of the consent order and annually thereafter.

The consent orders also require Comstar to comply with the minimum necessary standard of the HIPAA Privacy Rule which provides that PHI should not be collected or maintained when it is not necessary to satisfy a particular purpose.  The specific inclusion of the “minimum necessary” standard aligns with the growing list of regulators that have scrutinized over‑retention practices and data minimization requirements in recent settlements, an enforcement trend we have covered in previous articles, including actions taken by NYDFS and the FTC.

Notably, the state regulators emphasized the importance of effective information governance practices by imposing on Comstar precise data archiving requirements.  For both the Massachusetts and Connecticut Attorneys General, Comstar agreed to archive patient transportation data within two years of the date of service of the patient.  Moreover, where Comstar is required to retain these records for more than two years, the company will “to the extent required by applicable law…archive 2-7 year old records” within its offline archival storage under the agreement with the Massachusetts Attorney General.  The periods identified by the Massachusetts Attorney General for archival of old records imply a regulatory expectation that records will be kept for no longer than 7 years unless otherwise needed to fulfill regulatory, legal, and contractual requirements.

These data archiving requirements, coupled with an emphasis on compliance with the “minimum necessary” standard, were presumably included within the agreements with the goal of increasing the security of older data.  First, as many regulators have pointed out, data minimization means less information is available for a threat actor to potentially obtain in a security incident; and, second, by moving older data to offline storage, that data may become more difficult for the threat actor to access when properly configured.  This requirement is somewhat similar to the archival and record retention requirements national securities exchange members, brokers, and dealers:  they “must preserve for a period of not less than 6 years, the first two years in an easily accessible place.”

Our take

The various HHS and state consent orders with Comstar serve as a helpful blueprint for organizations seeking to enhance their cybersecurity, privacy, and information governance and retention programs, at a time when regulators’ focus on all three dimensions continues to intensify.  As regulators increasingly scrutinize data retention and storage practices and compliance with data minimization standards, companies should develop a plan to update their information governance strategy, with particular attention to records containing personal information.  These settlements are particularly interesting because the regulators were not just focused on over-retention – a mantra that has come out in many recent cyber incident settlements – but the state regulators focused on a more nuanced approach to protecting older data that does not need to be accessed as regularly by the business.  This evidences a more sophisticated approach to information governance and a new focus by regulators on pushing for more refined data security procedures and protections based on not just the sensitivity of the data, but how it is used within the organization and its age.

Additionally, although the risk of federal enforcement actions following a cybersecurity incident remains a key consideration, HIPAA-regulated entities should also account for the growing likelihood of state enforcement actions.  Here, the numerically inclined reader will have noticed that the civil penalties agreed to by Comstar in its agreements with the states Attorneys General were considerably higher than in its agreement with HHS.  In this instance, the Massachusetts and Connecticut Attorneys General settled for almost seven times more in civil penalties than HHS.