Comstar Ambulance Inadequate Notice of Data Breach Class Action

Comstar, LLC, which does business as Comstar Ambulance Billing Service, gets individuals’ information and maintains it in its database, claims the complaint for this class action, “for its own pecuniary gain.” But the complaint alleges that Comstar failed to protect this personally identifiable information (PII) and protected health information (PHI), suffered a data breach, and then did not provide the affected individuals with “timely, accurate, and adequate notice” about the data breach.

The class for this action is all persons living in the US whose private information was compromised in the data breach announced by Comstar on or around May 25, 2022.

Comstar’s website claims that it performs ambulance billing, collection, and other services for “municipal and non-profit ambulance service[.]” The complaint quotes the company as saying that the “security of information in Comstar’s care is one of [Comstar’s] highest priorities and [Comstar has] strict security measure to protect information in [Comstar’s] care,” but the complaint reports that the company nevertheless suffered a data breach.

The information exposed, the complaint alleges, encompasses PII, including names, dates of birth, driver’s license information, Social Security numbers; PHI, including medical assessments, medication administration, and health insurance information; and financial account information. The complaint claims that nearly 69,000 individuals were affected.

The complaint claims that Comstar began notifying affected individuals only on or around May 25, 2022, “nearly two months after Comstar first discovered suspicious activity on [its] servers and over a month after the investigation by Comstar concluded that unauthorized accesses of its servers had occurred[,]” making the notice not timely, according to the complaint.

As to accuracy, the complaint alleges that the notice does not detail the scope of the data breach and claims that “the investigation was unable to confirm what specific information” was stolen.

Finally, as to the issue of adequacy, the complaint alleges that Comstar’s notice “does not state how the Data Breach occurred, how long the Data Breach lasted, when the Data Breach began, and other pertinent information.”

These failures, the complaint claims, violate Comstar’s own Privacy Policy as to how notifications of unauthorized uses of information should be handled.

The complaint alleges that the “unencrypted, unredacted Private Information was compromised due to [Comstar’s] negligent and/or careless acts and omissions, and due to its utter failure to protect” the information in its systems.

According to the complaint, Comstar should have known it could be the target of a data breach because of the large and increasing numbers of cyberattacks targeting healthcare entities.

The complaint claims that Comstar failed to comply with Federal Trade Commission guidelines or with industry standards for the protection of information.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy