YOU’RE not paranoid: lawyers are coming to get you, the piece reminds, with regulators, state attorneys general, and class-action lawyers all circling after breaches involving patient data. It chronicles Comstar, LLC, and a ransomware incident first disclosed in May 2022, affecting about 585,621 individuals, with 68,957 patients initially notified and a later federal settlement of $75,000 plus a corrective action plan.
In May 2025, HHS OCR announced a settlement with Comstar, while Connecticut and Massachusetts followed with a combined $515,000 settlement and a detailed corrective action plan requiring measures such as phishing protection software, multi-factor authentication, an asset inventory, and an annual security assessment.
The article notes that the settlement includes both monetary penalties and corrective action requirements, and that class-action suits were filed in federal court in Massachusetts in July 2022, with further state actions possible. It concludes by emphasising the importance of an accurate, thorough risk assessment and appropriate access and storage controls for various types of data, a message framed as timeless guidance beyond a single incident. According to HHS OCR.