By Kayleigh Anderson
New York Attorney General Letitia James and the attorneys general of Connecticut and New Jersey today secured $4.5 million from Enzo Biochem, Inc. for failing to adequately safeguard the personal and private health information of its patients.
Headquartered in Farmingdale, Enzo is a biotechnology company that offers patients diagnostic testing at its laboratories in New York, Connecticut, and New Jersey. The Office of the Attorney General (OAG) found that Enzo had poor data security practices, which led to a ransomware attack that compromised the personal and private information of approximately 2.4 million patients, including more than 1.4 million New York residents. As a result of the agreement, Enzo will pay $4.5 million, of which New York will receive $2.8 million, and will strengthen its data security practices.
“Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals,” said James. “Health care companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft. Data security is part of patient safety, and my office will continue to hold companies accountable when they fail to protect New Yorkers.”
In 2023, cyber-attackers were able to access Enzo’s networks using two employee login credentials. The OAG later found that those two login credentials were shared between five Enzo employees and one of the login credentials hadn’t been changed in the last ten years, putting Enzo at heightened risk of a cyberattack. Once logged in, the attackers installed malicious software on several of Enzo’s systems. Enzo was not aware of the attackers’ activity until several days later because the company did not have a system or process in place to monitor or provide notice of suspicious activity. The attackers were able to steal files and data that contained patient information for 2.4 million patients, including 1,457,843 New Yorkers. Information that was compromised included names, addresses, dates of birth, phone numbers, Social Security numbers, and medical treatment/diagnosis information.
According to the OAG, Enzo will adopt a series of measures aimed at strengthening its cybersecurity practices going forward, including, maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information; implementing and maintaining policies and procedures that limit access to personal information; implementing and maintaining multi-factor authentication for all individual user accounts; establishing and maintaining policies and procedures that require using strong, complex passwords and password rotation; encrypting all personal information, whether stored or transmitted; conducting and documenting annual risk assessments; and developing, implementing, and maintaining a comprehensive incident response plan for potential data security issues.
Long Island Life & Politics reached out to Enzo for comment and is waiting to hear back.
Be the first to comment