Comstar Ambulance Billing Service Cyber Attack and Data Breach

‣ Medical and Social Security Information At Risk

On June 14, 2022, Comstar, LLC (“Comstar”), based in Rowley, Massachusetts, reported a data breach to the California Attorney General’s Office. Comstar, an ambulance billing service, states in its official Data Breach Notice that the recent incident may affect the privacy of some California residents’ personal information. Nationwide, approximately 69,000 people were affected by this data breach.

According to Comstar’s California Data Breach Notice and the notices provided to other state authorities, on or about March 26, 2022, Comstar “discovered suspicious activity related to certain servers within its environment.” On April 21, 2022, Comstar determined that it was the subject of a cyber-attack, and that certain files were accessed from its network.

Individuals with personal information in the compromised files may have already been notified by the company.

What Data May Have Been Compromised by Comstar’s Data Breach?

According to the Comstar Data Breach Notices, the following data may have been accessed:

  • Name
  • Social Security number
  • Medical assessment
  • Date of birth
  • Medication administration
  • Health insurance information
  • Driver’s license
  • Financial Account Information

The full notice provided by Comstar can be viewed here.

Comstar is offering affected individuals complimentary identity monitoring services through Equifax Credit Watch Gold.

Special California Laws Protect You From Data Breach Harms

If you are a California resident and received a Notice of Data Breach from Comstar, you may be entitled to between $100 and $1,000 plus actual damages resulting from the negligent release of your confidential information. California has unique state laws, including the California Consumer Privacy Act (CCPA) and the California Confidentiality of Medical Information Act (CMIA) that compensate individuals whose confidential and sensitive data have been accessed and offered for sale on the dark web.

Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again) and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from occurring again.).

As Electronic Personal Data Doesn’t Degrade, Identity Theft Services Offered by Comstar May Not Be Enough

Cybercrimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is under $20, depending on the type of information according to Privacy Affairs Dark Web Index of 2021. Certain critical types of personal information – like social security numbers, names, and birth dates – are almost impossible to change.

Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities. “The effects of a health data breach on consumers outlast the initial breach.”[1] Thus, once you know your data has been disclosed, it is reasonable to be concerned that your data will be used to cause you significant financial losses.

Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.

Corporations Should Be Held Accountable For Data Breaches

“The healthcare sector has been a main target of cyberattacks. [. . . ] Data breaches, particularly when they involve sensitive information such as Social Security numbers and health records, threaten the privacy, security, and economic wellbeing of consumers. ” [2]

When businesses decide to collect and keep personal data about current or former California residents, under California law they take on the obligation to protect that information and keep it safe from hackers, thieves, and other criminals. However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”[3] The stakes are high: Data breach victims are more likely to also be victims of additional fraud.[4]



[1] Source: R. Bonta, California Attorney General, BULLETIN: Obligation to Proactively Reduce Vulnerabilities to Ransomware Attacks and Requirements Regarding Health Data Breach Reporting (2021).

[2] Same.

[3] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).

[4] Same.