Connecticut AG settles ambulance vendor data breach for $515,000

CT Attorney General Press Releases

Filed January 28th, 2026

Detected February 7th, 2026

Summary

Connecticut and Massachusetts Attorneys General have reached a $515,000 settlement with Comstar, LLC, an ambulance billing vendor, following a 2022 data breach. The settlement addresses the failure to safeguard sensitive patient information, impacting over 300,000 residents.

View original document View source feed page

What changed

Connecticut and Massachusetts Attorneys General have announced a $515,000 settlement with Comstar, LLC, an ambulance billing vendor, for failing to adequately safeguard sensitive patient data during a March 2022 data breach. The breach potentially exposed Social Security numbers, driver's license numbers, financial account information, and medical assessment details of approximately 326,426 Massachusetts residents and 22,829 Connecticut residents. The settlement resolves allegations that Comstar violated state consumer protection laws and HIPAA by not maintaining a sufficient Written Information Security Program (WISP), failing to conduct regular risk assessments, and lacking reasonable data retention, encryption, and access control policies.

As part of the settlement, Comstar is required to implement enhanced security measures, including phishing protection, a vulnerability management program, multi-factor authentication, intrusion detection/prevention systems, and security software for its network. The company must also conduct annual security assessments for three years and report the findings to the respective Attorneys General. This action underscores the importance of robust data security practices for vendors handling sensitive patient information and highlights the enforcement actions state AGs will take to protect consumers from data breaches.

Source document (simplified)

The Office of the Attorney General William Tong

Press Releases

01/28/2026

Attorney General Tong Announces $515,000 Settlement with Ambulance Billing Vendor for Failing to Safeguard Sensitive Patient Medical Information

(Hartford, CT) – Attorney General William Tong and Massachusetts Attorney General Andrea Joy Campbell today announced that Connecticut and Massachusetts have reached a $515,000 settlement with Comstar, LLC, a Massachusetts-based ambulance billing vendor, for failing to safeguard sensitive patient information during a March 2022 data breach that potentially affected the Social Security numbers, driver’s license numbers, financial account numbers, and medical assessment information of approximately 326,426 Massachusetts residents and 22,829 Connecticut residents.

In March 2022, an outside actor accessed, encrypted, and held for ransom certain files and servers maintained by Comstar. In May 2022, Comstar began mailing data breach notices to consumers on behalf of the various entities for which it conducts billing.

“Comstar failed to implement basic, necessary security measures, and as a result exposed the Social Security numbers, medical records, driver’s license numbers and financial information for hundreds of thousands of Connecticut and Massachusetts residents. In addition to a significant monetary payment, our settlement requires Comstar to adopt strong security measures going forward and sends a clear message that Connecticut will continue to aggressively enforce our data security laws,” said Attorney General Tong.

The consent judgement, filed in Hartford Superior Court today and which is awaiting court approval, resolves allegations that Comstar violated Connecticut and Massachusetts security and consumer protection laws and the Health Insurance Portability and Accountability Act (HIPAA) by failing to maintain an adequate Written Information Security Program (WISP) to prevent the initial attack. When implemented, WISPs help to identify and assess reasonably foreseeable risks and evaluate and improve the effectiveness of existing safeguards, including proper employee training and compliance. Further, Comstar failed to conduct regular risk assessments and failed to implement reasonable data retention, encryption, and access control policies and procedures.

In addition to the monetary payment, Comstar will be required to implement phishing protection software, a vulnerability management program, multi-factor authentication, an asset inventory, an intrusion detection/prevention system, a security incident and event management platform, and security software for laptops and desktops on Comstar’s network. In addition, Comstar will also be required to conduct a security assessment once per year for three years and transmit the findings of those reports to the Massachusetts and Connecticut AGOs.

Assistant Attorney General Laura Martella and Deputy Associate Attorney General Michele Lucan, Chief of the Privacy and Data Security Section assisted the Attorney General in this matter.

Twitter: @AGWilliamTong Facebook: CT Attorney General