Enzo BioChem has agreed to a $4.5 million settlement with New Jersey, New York and Connecticut over its alleged deficient data and security safeguards, which led to a 2023 ransomware attack that compromised the personal health data of 2.4 million patients, including about 331,600 New Jersey residents.
An investigation into the April 2023 cyberattack on Enzo revealed that the company’s networks were accessed using two employee login credentials with administrator privileges. The heightened risk of the attack was due to the practice of those two logins being shared between five employees. One of the login credentials had not been changed in 10 years, according to the consent order reached between the company and the states.
Enzo, a New York-based biotechnology company that offers diagnostic testing at its laboratories in New York, Connecticut and New Jersey, was represented by counsel with Baker & Hostetler.
The cyberattack installed malicious software on Enzo’s systems, a fact that the company was not aware of until several days later because there was no monitoring system for suspicious activity, according to the order.
“The attackers subsequently provided respondents with information concerning the systems and data they had accessed, including a listing of hundreds of thousands of files the attackers had exfiltrated, which the attackers claimed comprised approximately 1.4 terabytes of data, some of which contained patient information,” the order said. “The attackers demanded a ransom payment to provide the decryption key to unlock the encrypted files and not publicly release the stolen information.”
New Jersey will receive about $930,000, New York will recoup $2.8 million, and Connecticut is set to receive approximately $743,110, each state announced.
The states’ attorneys general, Matthew J. Platkin from New Jersey, Letitia James from New York, and William Tong from Connecticut, filed an administrative action against Enzo over the breach. In it, the states alleged that a November 2021 Health Insurance Portability and Accountability Act risk assessment conducted by an Enzo vendor identified several risks to the company’s information systems and recommended corrective actions. Those were not implemented before the 2023 data breach, according to the consent order.
“It is stunning that as recently as last year, this health care company apparently did not abide by basic security precautions for online accounts, such as instructing its employees not to share passwords,” Platkin said. “Businesses of all kinds, and especially health care firms, must make robust cybersecurity a top priority. Poor data security and privacy practices make it easy for cybercriminals to exploit technological vulnerabilities and gain access to sensitive health information.”
The states alleged that the data breach violated HIPPA and the New Jersey Consumer Fraud Act. In addition to paying the settlement, Enzo agreed to strengthen its cybersecurity practices through various measures, including maintaining a comprehensive information security program designed to protect patient information.
In a statement, James said that getting blood work should not result in patients having their personal health information stolen by cybercriminals.
“Health care companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft,” James said. “Data security is part of patient safety, and my office will continue to hold companies accountable when they fail to protect New Yorkers.”
In a statement on the settlement, Tong said that a comprehensive Connecticut investigation discovered Enzo’s failure to safeguard the data of the state’s residents.
“This agreement sends a strong message to companies that we will hold them accountable if they fail to take reasonable measures to protect consumers’ information,” Tong said.
New Jersey acting Director of the Division of Consumer Affairs Cari Fais said in a news release that the division is committed to ensuring that businesses implement strong information security measures and holding businesses accountable when they fail to take proper precautions to safeguard consumers’ data.
Enzo was represented by Kimberly C. Gordy, a partner with Baker & Hostetler in Houston. Gordy did not immediately respond to a request for comment.