Attorneys General Get $4.5 Million From Biotech Company For Breach That Exposed Health Information On Millions

New York Attorney General Letitia James and the Connecticut and New Jersey attorneys general secured $4.5 million from Enzo Biochem Inc. for failing to protect the personal and private health information of its patients.

Enzo is a biotechnology company that offers diagnostic tests to patients at its laboratories in New York, Connecticut and New Jersey. The Attorney General’s Office found that Enzo had poor data security practices that led to a ransomware attack that compromised the personal and private information of 2.4 million patients, including more than 1.4 million New York residents .

Enzo agreed to pay $4.5 million, of which New York will receive $2.8 million.

In 2023, cyber attackers accessed Enzo’s networks using two employee login credentials. The OAG later found that those two login credentials were shared among five Enzo employees and that one of the login credentials had not been changed in 10 years. Once logged in, the attackers installed malicious software on several of Enzo’s systems. Enzo wasn’t aware of the attackers’ activity until days later because the company didn’t have a system or process in place to monitor or report suspicious activity, according to the OAG.

The information that was compromised included names, addresses, dates of birth, phone numbers, social security numbers, and medical treatment and diagnostic information.

Enzo agreed to the fine and to adopt a number of measures, including:

• Maintain a comprehensive information security program designed to protect the security, confidentiality and integrity of private information;
• Implementing and maintaining policies and procedures that limit access to personal information;
• Implementing and maintaining multi-factor authentication for all individual user accounts;
• Establishing and maintaining policies and procedures that require the use of strong and complex passwords and password rotation;
• Encryption of all personal information whether stored or transmitted;
• Conducting and documenting annual risk assessments;
• Develop, implement and maintain a comprehensive incident response plan for potential data security issues.