Biotech Company Found by NY AG to Fail to Protect New Yorkers’ Health Data
Click to Enlarge
This week New York Attorney General Letitia James, and the attorneys general of Connecticut and New Jersey, announced that they had secured $4.5 million from Enzo for failing to adequately safeguard the personal and private health information of its patients. Enzo is a biotechnology company that offers patients diagnostic testing at its laboratories in New York, Connecticut, and New Jersey. The Office of the Attorney General (OAG) found that Enzo had poor data security practices, which led to a ransomware attack that compromised the personal and private information of approximately 2.4 million patients, including more than 1.4 million New York residents. Of the $4.5 million, New York State will receive $2.8 million, and Enzo has agreed to strengthen its data security practices.
In 2023, cyber-attackers accessed Enzo’s networks using two employee login credentials. The OAG later found that those two login credentials were shared between five Enzo employees and one of the login credentials were not changed in ten years, putting Enzo at heightened risk of a cyberattack. Patient information captured in the attack included names, addresses, dates of birth, phone numbers, Social Security numbers, and medical treatment/diagnosis information.
The agreement also requires Enzo has agreed to adopt a series of measures aimed at strengthening its cybersecurity practices going forward, including:
- Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
- Implementing and maintaining procedures that limit access to personal information;
- Implementing multi-factor authentication for all individual user accounts;
- Establishing policies and procedures that require using strong, complex passwords and password rotation;
- Encrypting all personal information, whether stored or transmitted;
- Conducting and documenting annual risk assessments; and
- Implementing a comprehensive incident response plan for potential data security issues.
To learn more, see the AG’s full statement here.
