- The New York, Connecticut, and New Jersey AGs entered into settlements with biotechnology company Enzo Biochem, Inc. and its subsidiary Enzo Clinical Labs, Inc. (collectively, “Enzo”), to resolve allegations stemming from a 2023 data breach involving the personal information of more than 2.4 million individuals in violation of HIPAA security and notification requirements and the states’ consumer protection and data security laws.
- According to the AG offices, Enzo—which provides diagnostic testing—failed to adequately safeguard patient information, leaving it vulnerable to a ransomware attack. Enzo’s alleged data security deficiencies included shared employee log-in credentials, and failure to use controls such as multi-factor authentication (MFA), encrypt sensitive patient information, adequately monitor user activity on its network, or conduct risk management analyses and security testing.
- Under the terms of the settlements, Enzo will pay a combined $4.5 million in civil penalties to the three states and must take measures to strengthen its data security practices including implementing MFA for all users; establishing robust password policies; encrypting all personal information, whether stored or transmitted; conducting annual risk assessments; and developing a comprehensive incident response plan. Enzo must also undergo a comprehensive third-party assessment of its network’s information security within 180 days of the settlements and offer identity theft protection services to affected individuals.