Report on Patient Privacy 25, no. 6 (June, 2025)
A single incident that may have started as a personal vendetta or an extortion threat seven years ago has cost a Florida health care system $800,000, and comes on the heels of an unrelated breach suffered by a different hospital in the same organization just last year.
The payment by Clearwater, Fla.-based BayCare Health System, which the HHS Office for Civil Rights (OCR) announced May 15,[1] was the third priciest of 2025, following a $3 million settlement with a diabetes supply firm and a $1.5 million fine OCR imposed on eyewear vendor Warby Parker.[2]
BayCare’s was one of three OCR enforcement actions the agency made public in May; all were accompanied by two-year corrective action plans (CAPs).
On May 30, two days after the BayCare announcement, OCR said a business associate (BA) in Rowley, Mass., agreed to a $75,000 settlement stemming from a 2022 ransomware attack that encrypted the protected health information (PHI) of nearly 560,000 patients of 70 covered entities (CEs) it served.[3]
All three settlements contribute to the long-standing puzzle of how OCR determines financial payment amounts, bedeviling CEs, BAs, attorneys and experts alike. Vision Upright MRI of San Jose, Calif., agreed to pay just $5,000 to settle allegations that it failed both to conduct a security risk analysis and didn’t notify the 22,000 affected individuals within the required 60 days.[4]
As of June 1, OCR had issued 15 enforcement actions this year, nine of which were announced by former OCR Director Melanie Fontes Rainer, a Biden appointee who resigned in mid-January and later shared exclusively with RPP her concerns about the future of the agency.[5] OCR has collected a total of $7,610,316 from its enforcement actions so far this year.
BayCare officials would not answer any of RPP’s questions, including why it took so long to reach an agreement and what the $800,000 is based on. Instead, a spokesperson provided the following two-sentence statement about the settlement: “BayCare takes patient privacy very seriously. We have cooperated fully with the Department of Health and Human Services’ Office of Civil Rights in its investigation.”
The spokesperson also clarified that this settlement does not encompass a March 2024 breach that occurred when an employee of Winter Haven Hospital mistakenly attached a cardiac department file with information for some 2,100 patients when emailing a patient. However, the spokesperson would not comment on this incident.
OCR: BayCare ‘Failed to Reduce Risks’
OCR didn’t fill in too many blanks about either the $800,000 settlement or the $75,000 one. In its announcement, OCR said it began an investigation “following its receipt of a complaint in October 2018, in which the complainant alleged that after receiving treatment at a BayCare facility, she was contacted by an unknown individual who had photographs of her printed medical records, as well as a video of someone scrolling through her medical records on a computer screen.”
The headline on the announcement referred to the incident as being perpetrated by a “malicious insider.”
The credentials of a “non-clinical former staff member of a physician’s practice” were used that provided access to BayCare’s “electronic medical records for the continuity of common patients’ care,” OCR said. It was not clear if the former staff member whose credentials were used was the one who engaged in the inappropriate access nor who contacted the patient.
The settlement agreement identified St. Joseph’s Hospital as the medical center at issue. But it said nothing about the intent of the person who contacted the patient and if anything happened after the photo and video were shared.
Although most OCR settlements allege CEs and BAs haven’t conducted a risk analysis, that wasn’t the case with BayCare. Instead, OCR alleged BayCare failed to “implement policies procedures for authorizing access to ePHI [electronic PHI] that are consistent with the applicable requirements of the HIPAA Privacy Rule,” failed to “reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level” and failed to “regularly review records of information system activity.”[6]
Few Clues Offered About Comstar Attack
Yet, conducting a risk analysis is the first requirement in BayCare’s CAP, which also calls for the development of a related risk management plan and revised policies and procedures addressing risk management, information system action review and information access management. Training on the new policies is also required.
Regarding Comstar, its resolution agreement states that, “on March 19, 2022, an unknown actor gained access to [ePHI] maintained on Comstar’s network servers. Comstar did not detect the intrusion until March 26, 2022, when its IT service vendor began receiving support tickets. It was determined ransomware was used to encrypt Comstar’s network servers and that the [PHI] of 585,621 individuals was affected.”[7]
OCR based the settlement on a single infraction; it said Comstar “failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information that it holds.” Comstar did not respond to RPP’s request for comment.
The agency provided no other information, such as how long the data was encrypted, whether ransom was paid and if any data was exfiltrated.
Information posted by the Centerville-Osterville-Martons Mills (COMM) Fire-Rescue Department in Massachusetts described Comstar as its former ambulance billing firm and said all of Comstar’s patient records were affected and that its “data storage system as a whole was held hostage by ransomware.”[8]
“Upon learning of the potential security breach, Comstar immediately notified COMM Fire of the situation and out of an abundance of caution, and despite the fact that no evidence was found indicating patient records were actually removed; COMM Fire authorized Comstar to notify every patient who could have been potentially impacted,” the undated online notice states. COMM wasn’t a client of Comstar’s at the time; the relationship spanned from 2009 to 2019.
Comstar’s CAP is similar and perhaps a bit broader than BayCare’s. In addition to conducting a risk analysis and developing a management plan, the BA is to revise its policies and procedures to address its security management process, security awareness and training, security incident procedures and BA breach notification requirements and retrain workers as called for in BayCare’s CAP.
1 U.S. Department of Health and Human Services, Office for Civil Rights, “HHS Office for Civil Rights Settles HIPAA Security Rule Investigation with a Florida Health Care Provider,” news release, May 28, 2025, https://bit.ly/4dCp2zv.
2 Theresa Defino, “$1.5M Warby Parker Fine a Holdover; OCR Focuses On Men in Sports, Antisemitism, ‘Biological Truth,’” Report on Patient Privacy 25, no. 3 (March 2025), https://bit.ly/4clCVSj.
3 U.S. Department of Health and Human Services, Office for Civil Rights,“HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Comstar, LLC,” news release, May 30, 2025, https://bit.ly/3Zb1Sug.
4 Jane Anderson, “Risk Analysis Not Just for Big Providers, OCR Warns in Settlement With MRI Firm,” Report on Patient Privacy 25, no. 6 (June 2025).
5 Theresa Defino, “Former OCR Director Fontes Rainer Reflects On ‘Imperfect’ RSP Law, Urges Final Security Reg,” Report on Patient Privacy 25, no. 5 (May 2025), https://bit.ly/4kLcyrQ.
6 U.S. Department of Health and Human Services, Office for Civil Rights, “Resolution Agreement,” February 14, 2025, https://bit.ly/455uxoq.
7 U.S. Department of Health and Human Services, Office for Civil Rights, “Comstar, LLC Resolution Agreement and Corrective Action Plan,” February 19, 2025, content last reviewed May 30, 2025, https://bit.ly/4kjQLaP.
8 Centerville-Osterville-Martons Mills Fire-Resue Department, “Comstar Notification,” page last accessed June 2, 2025, https://www.commfiredistrict.com/comstar.
[View source.]
