Penalty Amount
$515,000
Consumers Affected
349,255
Comstar, LLC, an ambulance billing vendor, suffered a data breach in March 2022 that exposed sensitive patient information, including Social Security numbers and medical records, of over 349,000 residents in Connecticut and Massachusetts. The settlement requires Comstar to pay $515,000 and implement enhanced security measures such as phishing protection and annual security assessments.
Comstar must pay $515,000 and implement security measures including phishing protection software, vulnerability management program, multi-factor authentication, and conduct annual security assessments for three years with reports to the Connecticut and Massachusetts Attorneys General.
In-house legal teams should review vendor agreements, data processing agreements, and Business Associate Agreements (BAAs) with entities like Comstar that handle sensitive patient data. Key clauses to scrutinize include data security standards, breach notification requirements, HIPAA compliance obligations, audit rights, and indemnification provisions. Given the settlement, contracts should be updated to mandate specific security measures such as phishing protection and annual security assessments, ensure prompt breach notification in line with state and federal laws, and include robust indemnification clauses to cover potential liabilities from data breaches involving protected health information.
Entity
Comstar, LLC
Also known as: Comstar
Industry
HealthcareOfficial Press Release
https://portal.ct.gov/ag/press-releases/2026-press-releases/attorney-general-tong-announces-settlement-with-ambulance-billing-vendor
comstar final judgment on stipulation.pdf?rev=a352c9d2fe0b44
https://portal.ct.gov/-/media/ag/press_releases/2026/comstar---final-judgment-on-stipulation.pdf?rev=a352c9d2fe0b4456889717d556bfacdc&hash=AB1B7FC92347A3BA676BA8D0023409A9
Connecticut Attorney General Enforcement Page
https://portal.ct.gov/AG/Privacy/Privacy-Resources
"Comstar, LLC"
"$515,000"
"Health Insurance Portability and Accountability Act (HIPAA)"
"Connecticut and Massachusetts security and consumer protection laws"
"data breach"
"failing to implement basic, necessary security measures"
$515K
Massachusetts Attorney General secured a $515,000 settlement with Comstar, LLC for a March 2022 data breach that exposed sensitive patient information of over 326,000 Massachusetts residents. Comstar violated Massachusetts Data Security regulations and HIPAA by failing to maintain adequate security measures. The settlement includes monetary payment and mandated security improvements.
On May 11, 2026, Connecticut Attorney General William Tong led a bipartisan coalition of 21 attorneys general in submitting a comment letter to the U.S. Food and Drug Administration (FDA) urging the agency to abandon draft guidance that would ease approvals for flavored e-cigarette products. The coalition argues the guidance ignores evidence that flavored e-cigarettes disproportionately drive youth addiction and that FDA has failed to enforce existing authorization requirements for e-cigarette products. The letter references past tobacco and e-cigarette enforcement actions, including the 1998 tobacco master settlement agreement and the 2022 $438.5 million settlement with JUUL Labs.
Connecticut’s legislature passed House Bill 5312, creating new civil enforcement mechanisms for deepfake digital sexual assault, including unauthorized dissemination of synthetically created intimate images and AI-generated child pornography. The bill establishes a private right of action for victims and empowers the Connecticut Attorney General to pursue civil injunctions and penalties against abusers and platforms hosting illegal content. This builds on prior Connecticut laws criminalizing unauthorized intimate image dissemination.
Connecticut Attorney General William Tong praised final passage of House Bill 5312, which creates new civil enforcement mechanisms for deepfake digital sexual assault. The legislation allows the AG to pursue civil injunctions and penalties against platforms that disseminate illegal synthetic intimate images, including AI-generated child pornography, and establishes a private right of action for victims. The bill builds on prior Connecticut laws criminalizing unauthorized dissemination of intimate images.
$300K
Connecticut Attorney General William Tong announced a settlement with international trade platform Made-in-China to cease all U.S. sales of unlawful 'research grade' GLP-1 weight loss drugs following an investigation into direct sales to consumers without prescriptions or medical oversight. The settlement prohibits the platform from hosting GLP-1 sales to U.S. customers, requires a monitoring system to remove non-compliant listings, and imposes a $300,000 penalty suspended after an initial $30,000 payment. Additional settlements were announced with Radiance Medspa and Advanced Medical Weight Loss over compounded non-FDA approved GLP-1 drugs.
Connecticut Attorney General William Tong issued a statement on May 1, 2026, announcing the final passage of bipartisan legislation targeting youth social media addiction and artificial intelligence harms. The legislation imposes new obligations on social media companies regarding minor account settings, parental consent, and reporting, as well as requirements for AI chatbot operators and employers using automated decision tools. The statement also references ongoing enforcement actions against Meta and TikTok for allegedly designing addictive platform features for youth.