Enzo Biochem has agreed to pay a $4.5 million penalty and adopt measures to strengthen its cybersecurity practices following a 2023 data breach that affected 2.4 million people, according to the New York Office of the Attorney General (OAG).
Enzo Biochem's work in academic research, drug development, contract research, and diagnostics includes genomic, protein, cellular, and tissue analysis, as well as small molecule chemistry, according to Enzo Biochem's website. However, the $4.5 million punishment relates to an April 2023 data breach and cyberattack on Enzo's clinical lab business prior to the lab's sale last summer, according to New York Attorney General Letitia James, who with the attorneys general of Connecticut and New Jersey secured an agreement with Enzo August 13.
At the time of the cyberattack, Enzo's data security program was deficient in several areas, an August 8 OAG document stated. For example, files stored on shared network space and a database were not encrypted at the file level. Enzo also did not maintain comprehensive records of user and network activity, and the company did not have a system or process in place to monitor for, or provide notice of, suspicious activity. Moreover, Enzo's process for evaluating potential risks to its information systems was "informal."
As a result, attackers gained remote access to Enzo's private network. Among their opportunities to do so, two administrator login credentials had been shared among five Enzo employees, and one of the login credentials had not been changed in 10 years. This put Enzo at heightened risk of a cyberattack, the OAG noted. The attackers also installed malicious software on several Enzo systems.
More than half of the 2.4 million patients possibly affected by the data breach were from the state of New York, but all patients underwent testing in New York, New Jersey, or Connecticut. New York will receive $2.8 million as a result of the agreement.
Enzo Clinical Labs is a "covered entity" under the Health Insurance Portability and Accountability Act (HIPAA) subject to the HIPAA Security Rule, 45 C.F.R. Part 160 and Part 164 Subparts A and C, and the Breach Notification Rule, 45 C.F.R. Part 164 Subpart D. Enzo's conduct violated both the HIPAA Security Rule and the Breach Notification Rule, the OAG document noted. The breach involved access to a variety of patient information, including patient names, dates of birth, addresses, phone numbers, Social Security numbers, and medical treatment/diagnosis information, as well as files relating to tests rendered between October 2012 and April 2023.
The matter was handled through New York's Bureau of Internet and Technology under the state's Division for Economic Justice.
Read the full statement here.