Enzo Biochem pays $4.5M for health data security failures

Enzo Biochem, Inc. agreed to pay $4.5 million over health data security failures following a 2023 ransomware attack that affected 2.4 million patients. State attorneys general from New York, Connecticut and New Jersey teamed up to lead the investigation and reach a settlement with Enzo.

Enzo offers diagnostic testing at labs in New York, Connecticut and New Jersey. The biotech company experienced a ransomware attack on April 6, 2023, and immediately disconnected its systems and notified law enforcement, according to a Securities and Exchange Commission (SEC) Form 8-K filing.

Further investigation by the state attorneys general revealed that cyber threat actors gained access to Enzo's networks using two employee login credentials. The investigation revealed that five Enzo employees were sharing the two login credentials, one of which had not been changed in the last decade.

The threat actors were able to gain access and install malicious software on multiple systems, which went unnoticed for a few days as Enzo did not have a system in place to monitor or detect suspicious activities.

The information compromised in the breach included names, addresses, phone numbers, dates of birth, Social Security numbers and medical treatment information.

The $4.5 million penalty will be split between the three states that took part in the investigation, with $2.8 million going to New York, approximately $930,000 going to New Jersey and about $743,110 going to Connecticut.

"This agreement sends a strong message to companies that we will hold them accountable if they fail to take reasonable measures to protect consumers' information," said William Tong, Connecticut's attorney general.

In addition to the monetary penalty, Enzo agreed to adopt several cybersecurity measures, including the following:

• Implementing policies to limit access to personal information.
• Encrypting all personal information.
• Maintaining multifactor authentication for all user accounts.
• Developing a comprehensive information security program.
• Conducting annual risk assessments.
• Establishing strong password policies.
• Developing and implementing an incident response plan for data security issues.

"Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals," said Letitia James, New York's attorney general.

"Health care companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft. Data security is part of patient safety, and my office will continue to hold companies accountable when they fail to protect New Yorkers."

This case is the latest in a string of similar agreements between state attorneys general and healthcare providers that suffered data breaches. For example, in January 2024, the New York Attorney General's Office reached a settlement with Refuah Health Center over alleged failures to protect the information of patients.

In December 2023, the New York Attorney General's Office penalized dental insurance provider Healthplex following a 2021 data breach.

As healthcare data breaches continue to affect patients nationwide, state and federal governments are taking action to address data security failures.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.