WASHINGTON, D.C. — The Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a settlement with Comstar, LLC, a Massachusetts-based billing and collection company for emergency ambulance services, in connection with a significant breach of protected health information (PHI). The breach, stemming from a ransomware attack, affected the electronic health records of 585,621 individuals and exposed vulnerabilities in the company’s compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
Timeline of the Breach
The OCR investigation revealed that an unauthorized party infiltrated Comstar’s network servers on March 19, 2022. The breach went undetected for a week until March 26, when ransomware encrypted the company’s servers, compromising the confidentiality, integrity, and availability of its electronic protected health information (ePHI). The breach primarily impacted clinical PHI, including sensitive medical assessments and medication details. At the time, Comstar acted as a business associate for over 70 HIPAA-covered entities, escalating the breadth of the incident.
Settlement Overview
Following the investigation, OCR determined that Comstar had failed to conduct an accurate and thorough risk analysis, a core requirement under the HIPAA Security Rule that mandates organizations to assess vulnerabilities and potential risks to ePHI. Acting OCR Director Anthony Archeval emphasized the significance of this process, explaining, “Assessing the potential risks and vulnerabilities to electronic protected health information is effective cybersecurity, and a HIPAA Security Rule requirement. Failure to conduct a HIPAA risk analysis can cause health care entities to be more susceptible to cyberattacks.”
To resolve the allegations, Comstar has agreed to a monetary settlement of $75,000 along with a two-year corrective action plan overseen by OCR. This arrangement underscores the agency’s commitment to ensuring that organizations entrusted with sensitive health data adhere to federal regulations designed to protect patient privacy.
Corrective Action Plan Highlights
Comstar’s corrective action plan outlines a series of measures to bring the company into full compliance with the HIPAA Security Rule. These include:
- Comprehensive Risk Assessment
Conducting a detailed, organization-wide analysis of risks and vulnerabilities to the ePHI it handles and maintains. - Enhanced Risk Management Plan
Developing and implementing a robust plan to mitigate and address the security risks identified during the risk analysis. - Policy and Procedure Overhaul
Reviewing and, where necessary, revising its policies to align with the HIPAA Privacy, Security, and Breach Notification Rules. - Workforce Training
Ensuring that all employees with access to PHI receive specialized training on HIPAA compliance and the organization’s revised policies.
OCR will monitor Comstar’s progress on these initiatives throughout the two-year period to confirm adherence to the settlement terms.
OCR’s Guidance for HIPAA-Covered Entities
To help prevent similar breaches, OCR issued recommendations for other organizations under HIPAA jurisdiction, including health care providers, plans, and their business associates. Key steps include:
- Mapping the flow of PHI throughout the organization’s information systems.
- Integrating risk analysis into overarching business processes.
- Deploying audit controls to monitor system activity.
- Encrypting ePHI both during transit and at rest to minimize exposure.
- Providing continuous HIPAA training tailored to employees’ roles and system access levels.
- Regularly reviewing and updating security processes based on past incidents.
By encouraging proactive measures, OCR aims to fortify the health care sector against the escalating threat of cyberattacks.
For the latest news on everything happening in Chester County and the surrounding area, be sure to follow MyChesCo on Google News and MSN.