Attorney General Tong Announces Settlement with Ambulance Billing Vendor
pIt seems that JavaScript is not working in your browser It could be because it is not supported or
that JavaScript is intentionally disabled Some of the features on CTgov will not function properly
with out javascript enabledppSettings Menupp
01282026 ppHartford CT Attorney General William Tong and Massachusetts Attorney General Andrea Joy Campbell today announced that Connecticut and Massachusetts have reached a 515000 settlement with Comstar LLC a Massachusettsbased ambulance billing vendor for failing to safeguard sensitive patient information during a March 2022 data breach that potentially affected the Social Security numbers drivers license numbers financial account numbers and medical assessment information of approximately 326426 Massachusetts residents and 22829 Connecticut residents ppIn March 2022 an outside actor accessed encrypted and held for ransom certain files and servers maintained by Comstar In May 2022 Comstar began mailing data breach notices to consumers on behalf of the various entities for which it conducts billing ppComstar failed to implement basic necessary security measures and as a result exposed the Social Security numbers medical records drivers license numbers and financial information for hundreds of thousands of Connecticut and Massachusetts residents In addition to a significant monetary payment our settlement requires Comstar to adopt strong security measures going forward and sends a clear message that Connecticut will continue to aggressively enforce our data security laws said Attorney General Tong pp
ppThe consent judgement filed in Hartford Superior Court today and which is awaiting court approval resolves allegations that Comstar violated Connecticut and Massachusetts security and consumer protection laws and the Health Insurance Portability and Accountability Act HIPAA by failing to maintain an adequate Written Information Security Program WISP to prevent the initial attack When implemented WISPs help to identify and assess reasonably foreseeable risks and evaluate and improve the effectiveness of existing safeguards including proper employee training and compliance Further Comstar failed to conduct regular risk assessments and failed to implement reasonable data retention encryption and access control policies and procedures ppIn addition to the monetary payment Comstar will be required to implement phishing protection software a vulnerability management program multifactor authentication an asset inventory an intrusion detectionprevention system a security incident and event management platform and security software for laptops and desktops on Comstars network In addition Comstar will also be required to conduct a security assessment once per year for three years and transmit the findings of those reports to the Massachusetts and Connecticut AGOs ppAssistant Attorney General Laura Martella and Deputy Associate Attorney General Michele Lucan Chief of the Privacy and Data Security Section assisted the Attorney General in this matterppElizabeth Benton
elizabethbentonctgovpp8608085318
attorneygeneralctgovpp
2016 CTgov Connecticuts Official State Website
p
that JavaScript is intentionally disabled Some of the features on CTgov will not function properly
with out javascript enabledppSettings Menupp
01282026 ppHartford CT Attorney General William Tong and Massachusetts Attorney General Andrea Joy Campbell today announced that Connecticut and Massachusetts have reached a 515000 settlement with Comstar LLC a Massachusettsbased ambulance billing vendor for failing to safeguard sensitive patient information during a March 2022 data breach that potentially affected the Social Security numbers drivers license numbers financial account numbers and medical assessment information of approximately 326426 Massachusetts residents and 22829 Connecticut residents ppIn March 2022 an outside actor accessed encrypted and held for ransom certain files and servers maintained by Comstar In May 2022 Comstar began mailing data breach notices to consumers on behalf of the various entities for which it conducts billing ppComstar failed to implement basic necessary security measures and as a result exposed the Social Security numbers medical records drivers license numbers and financial information for hundreds of thousands of Connecticut and Massachusetts residents In addition to a significant monetary payment our settlement requires Comstar to adopt strong security measures going forward and sends a clear message that Connecticut will continue to aggressively enforce our data security laws said Attorney General Tong pp
ppThe consent judgement filed in Hartford Superior Court today and which is awaiting court approval resolves allegations that Comstar violated Connecticut and Massachusetts security and consumer protection laws and the Health Insurance Portability and Accountability Act HIPAA by failing to maintain an adequate Written Information Security Program WISP to prevent the initial attack When implemented WISPs help to identify and assess reasonably foreseeable risks and evaluate and improve the effectiveness of existing safeguards including proper employee training and compliance Further Comstar failed to conduct regular risk assessments and failed to implement reasonable data retention encryption and access control policies and procedures ppIn addition to the monetary payment Comstar will be required to implement phishing protection software a vulnerability management program multifactor authentication an asset inventory an intrusion detectionprevention system a security incident and event management platform and security software for laptops and desktops on Comstars network In addition Comstar will also be required to conduct a security assessment once per year for three years and transmit the findings of those reports to the Massachusetts and Connecticut AGOs ppAssistant Attorney General Laura Martella and Deputy Associate Attorney General Michele Lucan Chief of the Privacy and Data Security Section assisted the Attorney General in this matterppElizabeth Benton
elizabethbentonctgovpp8608085318
attorneygeneralctgovpp
2016 CTgov Connecticuts Official State Website
p
