By Richard Chumney
Journal Inquirer
HARTFORD, Conn. — An ambulance billing company has agreed to pay Connecticut and Massachusetts $515,000 for a 2022 data breach that exposed the private information of nearly 350,000 residents, officials said.
The Massachusetts-based Comstar, LLC has also agreed to implement a series of digital security measures and conduct annual security assessments, according to Connecticut Attorney General William Tong.
| READ NEXT: Cybersecurity for EMS agencies on a budget
“In addition to a significant monetary payment, our settlement requires Comstar to adopt strong security measures going forward and sends a clear message that Connecticut will continue to aggressively enforce our data security laws,” Tong said.
Tong said the settlement, filed in Hartford Superior Court Wednesday, stems from a March 2022 cyberattack in which an outside actor accessed, encrypted and held for ransom files and servers maintained by Comstar.
The breach exposed the Social Security numbers, driver’s license numbers, financial account numbers and medical assessment information of about 326,426 Massachusetts residents and 22,829 Connecticut residents, Tong said.
Tong said Comstar violated security and consumer protection laws by failing to maintain an adequate security program to prevent the attack, conduct regular risk assessments and implement reasonable data retention policies.
A spokesperson for Comstar did not immediately return a request for comment. The company said in a 2022 data breach notice that it immediately took steps to confirm the security of its systems and warned customers to watch out for identity theft.
“While we had policies and procedures in place at the time of incident regarding security of information, we are reviewing those policies and procedures to further protect against similar incidents moving forward,” the company said at the time.
In a statement, Massachusetts Attorney General Andrea Joy Campbell said her state will receive $415,000 from the monetary settlement while the remaining $100,000 will be provided to Connecticut.
In addition to the payment, Comstar will be required to implement phishing protection software, multifactor authentication, an intrusion detection and prevention system and security software for laptops and desktops on Comstar’s network, among other measures, Tong said.
Tong said the company has also agreed to conduct annual security assessments for three years and transmit the findings of those reports to the attorneys general in Connecticut and Massachusetts .
© 2026 Journal Inquirer, Manchester, Conn..
Visit www.journalinquirer.com.
Distributed by Tribune Content Agency, LLC.