New York Attorney General Letitia James and the attorneys general of Connecticut and New Jersey secured $4.5 million from Enzo Biochem Inc. for failing to safeguard the personal and private health information of its patients.
Enzo is a biotechnology company that offers patients diagnostic testing at its laboratories in New York, Connecticut and New Jersey. The Office of the Attorney General reportedly found that Enzo had poor data security practices, which led to a ransomware attack that compromised the personal and private information of 2.4 million patients, including more than 1.4 million New York residents.
Enzo has agreed to pay $4.5 million, of which New York will receive $2.8 million.
In 2023, cyber-attackers accessed Enzo’s networks using two employee login credentials. The OAG later found that those two login credentials were shared between five Enzo employees and one of the login credentials hadn’t been changed in the last 10 years. Once logged in, the attackers reportedly installed malicious software on several of Enzo’s systems. Enzo was not aware of the attackers’ activity until several days later because the company did not have a system or process in place to monitor or provide notice of suspicious activity, according to the OAG.
Information that was compromised included names, addresses, dates of birth, phone numbers, Social Security numbers and medical treatment and diagnosis information.
Enzo agreed to the fine and to adopt a series of measures, including:
- Maintaining a comprehensive information security program designed to protect the security, confidentiality and integrity of private information;
- Implementing and maintaining policies and procedures that limit access to personal information;
- Implementing and maintaining multi-factor authentication for all individual user accounts;
- Establishing and maintaining policies and procedures that require using strong, complex passwords and password rotation;
- Encrypting all personal information, whether stored or transmitted;
- Conducting and documenting annual risk assessments;
- Developing, implementing and maintaining a comprehensive incident response plan for potential data security issues.
Was this article valuable?
Here are more articles you may enjoy.