On January 28, 2026, the Attorneys General of Massachusetts and Connecticut announced that proposed settlements have been reached with Comstar LLC, an ambulance billing and collection services provider based in Massachusetts, in connection with a data breach in March 2022 that affected approximately 326,426 Massachusetts residents and 22,829 Connecticut residents. In the settlements, Comstar is required to pay a total of $515,000 to resolve allegations that it failed to maintain an adequate Written Information Security Program that might have prevented the ransomware attack that enabled an outside cyber actor to access patients’ Social Security numbers, driver’s license numbers, financial account numbers and medical assessment information. The cyber actor was also allegedly able to encrypt certain files and servers and hold them for ransom. Prosecutors for both states allege that Comstar’s inadequate information security practices, including failure to conduct regular risk assessments and to implement reasonable data retention, encryption and access control policies and procedures, violated Connecticut and Massachusetts security and consumer protection laws and the Health Insurance Portability and Accountability Act (HIPAA).
The settlements, which are pending court approval, will require Comstar to pay $415,000 to Massachusetts and $100,000 to Connecticut. Comstar will also be required to enhance its information security program to include, among other things, phishing protection software, multi-factor authentication, and an intrusion detection/prevention system. The company will also be required to conduct annual security assessments for the next three years and report the findings to the Massachusetts and Connecticut AG Offices.
Massachusetts OAG Press Release | Proposed Settlement – MA | Connecticut OAG Press Release | Proposed Settlement – CT