New York Attorney General Letitia James, in partnership with her counterparts in Connecticut and New Jersey, emphasized the gravity of Enzo’s failure to protect patient data.
“Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals,” Attorney General James stated. Healthcare companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft. Data security is part of patient safety, and my office will continue to hold companies accountable when they fail to protect New Yorkers.
Details of the Enzo Biochem Data Breach and Lapses
The Enzo Biochem cyberattack in question occurred in April 2023, when attackers were able to gain access to Enzo’s systems using two employee login credentials. An investigation by the Office of the Attorney General (OAG) revealed that these credentials were shared among five employees, and one of them had not been updated in over a decade, creating a significant vulnerability.
Once inside the system, the attackers installed malicious software across several of Enzo’s systems, allowing them to steal vast amounts of data unnoticed.
One of the most important aspects of Enzo Biochem data breach was the lack of a proper monitoring system. Enzo was unaware of the unauthorized access for several days, a delay that enabled the attackers to extract sensitive patient information, including names, addresses, dates of birth, phone numbers, Social Security numbers, and medical treatment or diagnosis details.
The Enzo Biochem data breach affected 2.4 million patients, with 1,457,843 of them residing in New York.
Settlement and Future Obligations
As part of the settlement, Enzo Biochem has agreed to a series of stringent measures to enhance its cybersecurity protocols. These measures are aimed at preventing future breaches and ensuring that the company complies with the highest standards of data protection. The key provisions of the settlement include:
- Comprehensive Information Security Program: Enzo is required to maintain a robust information security program designed to protect the security, confidentiality, and integrity of private information.
- Access Control Policies: The company must implement and maintain policies and procedures that limit access to personal information, ensuring that only authorized personnel can access sensitive data.
- Multi-Factor Authentication (MFA): Enzo is mandated to implement and maintain MFA for all individual user accounts, adding an extra layer of security to prevent unauthorized access.
- Password Management: The settlement requires the establishment and maintenance of policies that enforce the use of strong, complex passwords and regular password rotation to mitigate the risk of credential-based attacks.
- Data Encryption: All personal information, whether stored or transmitted, must be encrypted to protect it from unauthorized access.
- Annual Risk Assessments: Enzo must conduct and document annual risk assessments to identify and address potential security vulnerabilities.
- Incident Response Plan: The company is also required to develop, implement, and maintain a comprehensive incident response plan to address any future data security issues promptly.
New York will receive $2.8 million of the $4.5 million penalty, while the remaining amount will be distributed between New Jersey and Connecticut. This settlement by Enzo Biochem not only holds Enzo accountable but also serves as a stern warning to other companies in the healthcare industry about the critical importance of robust cybersecurity measures.
Ongoing Efforts to Enhance Data Security
This Enzo Biochem data breach case is part of a broader effort by Attorney General James to improve data security practices across various industries. In recent months, her office has taken several actions to hold companies accountable for poor cybersecurity and to provide guidance on best practices. These efforts include launching privacy guides for businesses and consumers, issuing alerts on identity theft protection services, and leading a coalition to address the rise of social media account takeovers.
Earlier this year, Attorney General James released a comprehensive data security guide aimed at helping companies strengthen their data protection practices. James also issued a business guide on preventing credential stuffing attacks, which are increasingly being used by cybercriminals to gain unauthorized access to user accounts.