Sometimes It’s Just a Squirrel – Ep 513 

You’ve heard of phishing scams, ransomware, and all the usual cyber villains—but have you prepared for the wrath of a squirrel? In this episode, we unpack how one fuzzy-tailed offender knocked out power to 11,000 customers and sent a swim club scrambling for pencils and paper. But this isn’t just a woodland horror story. It’s a real-world reminder that sometimes, your biggest threat isn’t a hacker—it’s Alfred the squirrel with a death wish and a talent for circuit boards. We use this nutty incident to highlight the often-overlooked need for utility failure preparedness in healthcare and dig into the super-helpful (and criminally underused) ASPR TRACIE tip sheets that can keep your operations steady when nature gets twitchy.

In this episode:

Sometimes It’s Just a Squirrel – Ep 513

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Comstar’s Ransomware Reckoning

Another settlement but this one is with a BA. It also is a case that started in this decade!

Comstar, LLC Resolution Agreement and Corrective Action Plan | HHS.gov

This settlement is with Comstar, a Massachusetts company that provides billing, collection, and related services to non-profit and municipal emergency ambulance services. At the time of the breach, Comstar was a business associate of over 70 CEs which is not a small number of customers that had to be notified.

Comstar had a ransomware attack in March 2022 that impacted 585,621 individuals. The attackers were in the system from March 19 until March 26 when they launched the attack. Even then it was the IT service vendor who started getting support tickets about the problem as the attack spread. Comstar’s breach report to OCR was dated May 26, 2022. They came screeching in just under 60 days.

Again – we have so many questions!

Settlement Marks OCR’s 13th Ransomware Enforcement Action and 9th Enforcement Action in OCR’s Risk Analysis Initiative

“Assessing the potential risks and vulnerabilities to electronic protected health information is effective cybersecurity, and a HIPAA Security Rule requirement,” said Acting OCR Director Anthony Archeval. “Failure to conduct a HIPAA risk analysis can cause health care entities to be more susceptible to cyberattacks.”

Comstar agreed to a two year CAP and paid OCR $75,000.

• Conduct a comprehensive and thorough SRA of ePHI that Comstar holds
• Develop a risk management plan based on the SRA
• Review and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules
• Train its workforce members who have access to PHI on its HIPAA policies and procedures.

Important things to note here:

➡️ Just because a business has lots of other clients in healthcare does not mean they have a solid privacy & security program. Everyone thinks that everyone else is vetting the vendor appropriately, and nobody is actually doing it.

➡️ Ransomware groups will hang out in your systems until they are done. THEN they will set off the ransomware once they have your data.

➡️ The day the breach happened and the day it was detected were both on a Saturday. Weekends and holidays are the best times for cyber criminals to strike. They don’t mind working.

➡️ Class action lawsuits immediately followed this incident. If you search, you will find a number of breach notifications from this incident and articles regarding lawsuits.

They now have this page on their website – not sure if it was there before.

Security and Data Protection | Comstar

At Comstar Ambulance Billing Service (Comstar), the privacy and security of client information is treated with the utmost importance. Recognizing the critical nature of safeguarding sensitive data, especially in the healthcare sector, efforts have been made to align security practices with industry standards, including HIPAA, ISO 27001, NIST 800-171, and NIST 800-53. These standards guide the implementation of security measures designed to protect the confidentiality, integrity, and availability of the data entrusted to Comstar.

Add the Chad quote, “When it comes to a ransomware attack, survival isn’t luck. It’s leadership!”

Sometimes It’s Just a Squirrel

Years ago we talked about this site – they don’t maintain it anymore but it shows just how common power outages caused by wildlife can actually be: https://cybersquirrel1.com/

Officials: Squirrel causes widespread power outages in parts of Monmouth County

A squirrel caused widespread power outages for more than 11,000 JCP&L customers in Monmouth County Wednesday morning.

According to FirstEnergy spokesman Todd Myers, the squirrel came into contact with electrical equipment inside a Howell Township substation. This caused circuit breakers which are designed to protect sensitive equipment, to cause outages in six neighborhoods.

The outage caused some area schools to close and businesses to delay their openings.

The Howell Point Swim Club was without internet even after their power was restored around 11 a.m.

When your data center’s offline because of a cyberattack, it’s a mess. But when the power’s out, your data AND your defibrillators might be down too. That is much more complicated than just shutting down computer systems. ASPR (Administration for Strategic Preparedness and Response) TRACIE (Technical Resources Assistance Center and Information Exchange) created this suite of tip sheets to assist health care entities identify issues to consider when planning for and responding to various types of utility failures.

Utility Failures in Health Care Toolkit (Summary)

This toolkit isn’t just a checklist—it’s a survival guide for when your entire facility might be one power outage away from turning into a very expensive tent. We love to plan for sci-fi scenarios—Russian hackers, A.I. meltdowns—but your biggest risk might be rain and a raccoon in the substation.

Why Utility Failures Are a Big Deal in Health Care

• Electrical, fuel, water, oxygen, and IT/telecom outages can cause serious risks to patients and staff—not just inconvenience.
• These failures can be due to natural disasters, cyberattacks, or even planned outages.
• One failure (like power) can take out others (like IT systems or water pumps).

All kinds of things that really keep your operation moving could be shut down in a blink of the lights. Consider what would happen if there was no oxygen delivery or information registering on any medical devices, electronic medical records are down, even your coffee maker is not going to be there for you!

Toolkit Structure – Five Major Utility Types

The toolkit breaks it down into these failure types:

• Electricity
• Fuel
• Oxygen
• Telecommunications/IT
• Water

Planning Essentials

Having a plan really does matter. Have you thought about what might happen if you have a plan that depends on other parts of your facility running as usual and then they fail? Consider operating without water? How long before you give up? What kinds of things should you think about in your plan?

A. Pre-Failure Planning

• Conduct hazard vulnerability assessments
• Evaluate infrastructure (and past failures)
• Coordinate with utility providers – are you on all of their priority restoration lists?
• Establish strong business continuity plans
  

B. Training & Exercises

• Form multidisciplinary teams
• Do scenario-based drills
• Educate staff on emergency roles and communication backup options (yes, even social media)
  • Communicate with staff, patients and their loved ones, and the public about the facility status and any affected operations. Standardize pre-incident messages based on the facility’s hazard vulnerability assessment.

[45:32]

What Happens When the Lights Actually Go Out

• Rapid assessment process
• Incident command activation
• Crisis communication (internal & external)
• Insurance and reporting steps

After the Storm: Recovery & Resilience

• Run after-action reviews
• Update your plans (don’t just file them away!)
• Explore new tech for backup power
• Consider utility resilience in new construction and renovations – even things like a redundant ISP can save the day

So next time someone chuckles at your power outage drills or scoffs at your backup Internet plan, just look them dead in the eye and say, “Remember the squirrel.” Whether it’s a hacker, hurricane, or an acorn-obsessed rodent named Alfred, your operations need to survive the unexpected—especially when it shows up on a weekend. This episode is your reminder that disaster prep isn’t just for cyberattacks. With ASPR TRACIE’s no-nonsense toolkit and a little imagination (plus maybe a squirrel repellent plan), you can stay ready for whatever nature—or negligence—throws your way.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.