Enzo Biochem Inc. Reaches Settlement With Connecticut, New Jersey, and New York AGs Over 2023 Data Breach

Timothy Bado, Christopher Carlson, Blake Christopher, Samuel Fishel, Clayton Friedman, Natalia Jacobo, Judith Jagdmann, Namrata Kang, Michael Lafleur, Susan Nikdel, Stephen Piepgrass, Whitney Shephard, Trey Smith, Ashley Taylor Jr., Daniel Waltz, Michael Yaghi
Troutman Pepper Locke
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper

[co-author: Stephanie Kozol]*

Molecular diagnostics company Enzo Biochem, Inc. has reached settlements resolving investigations in relation to a 2023 data breach by the attorneys general (AG) for Connecticut, New Jersey, and New York. Enzo has agreed to pay the states a total of $4.5 million, as well as institute and maintain new data security protocols.

Announced on August 13, Enzo’s settlements with Connecticut, New Jersey, and New York allege that the company violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and applicable provisions of state law, including New Jersey’s Consumer Fraud Act and New York’s General Business Law.

The AGs’ statements on the settlements alleged that Enzo is a biotechnology company that offered patients diagnostic testing at laboratories in Connecticut, New Jersey, and New York and that, in a 2023 ransomware attack, cyber-attackers were able to access Enzo’s networks using two employee login credentials to steal files and data that included the names, addresses, dates of birth, phone numbers, Social Security numbers, and medical treatment/diagnosis information for approximately 2.4 million patients.

According to the AGs, the two login credentials were shared between five Enzo employees and one set of credentials had not been changed in 10 years. Once logged in, the attackers allegedly installed malicious software on several of Enzo’s systems. The AGs alleged that Enzo did not become aware of the attackers’ activity until several days later because the company did not have a system or process in place to monitor or provide notice of suspicious activity.

In her statement announcing the settlement, New York AG Letitia James asserted that more than 1.4 million New Yorkers were affected by the breach. In his announcement, New Jersey AG Matt Platkin said 331,600 residents from his state had been affected. Connecticut AG William Tong claimed 193,000 Connecticut residents were affected. Of the $4.5 million imposed in the settlements, New York will receive $2.8 million, New Jersey will receive approximately $930,000, and Connecticut will receive $743,000.

Enzo made no admission of wrongdoing in reaching the settlements.

Why It Matters

Enzo’s settlements underscore the importance of maintaining updated data governance protocols, including the prohibitions on shared login credentials and mandated, frequent updates to such credentials.

*Senior Government Relations Manager

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Troutman Pepper Locke

Written by:

Troutman Pepper Locke
Troutman Pepper Locke
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Troutman Pepper Locke on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide