Listen to this articleNew York Attorney General Letitia James, along with attorneys general from Connecticut and New Jersey, secured a $4.5 million settlement with Enzo Biochem, headquartered in Farmingdale.
The company, which offers diagnostic testing for patients at labs in New York, Connecticut and New Jersey, did not “adequately safeguard the personal and private health information of its patients,” according to the NYAG’s office.
The AG’s office said that the company had “poor data security practices, which led to a ransomware attack that compromised the personal and private information of approximately 2.4 million patients,” including more than 1.4 million New Yorkers.
In the agreement, New York will receive $2.8 million of the settlement, and Enzo will strengthen its data security practices.
“Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals,” James said in a news release about the settlement.
“Health care companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft,” she added. “Data security is part of patient safety, and my office will continue to hold companies accountable when they fail to protect New Yorkers.”
LIBN was not immediately able to reach Enzo Biochem for comment.
In 2023, cyberattackers accessed Enzo’s networks using two employee login credentials, according to officials. The AG’s office said it later found that those two login credentials were shared between five Enzo employees and one of the login credentials hadn’t been changed in the last 10 years, putting Enzo at heightened risk of a cyberattack. Once logged in, the attackers installed malicious software on several of Enzo’s systems.
Enzo was not aware of the attackers’ activity until several days later, the AG’s office said, because the company did not have a system to monitor or provide notice of suspicious activity. The attackers were able to steal files and data. Information that was compromised included names, addresses, dates of birth, phone numbers and Social Security numbers as well as medical treatment, diagnosis information or both.
With the agreement, the AG’s office said, the company will adopt measures aimed at strengthening its cybersecurity practices. Those measures include maintaining a comprehensive information security program designed to protect the security, confidentiality and integrity of private information. Additional measures include implementing and maintaining policies and procedures that limit access to personal information. They also include implementing and maintaining multi-factor authentication for all individual user accounts.
In addition, the company will establish and maintain policies and procedures that require using strong, complex passwords and password rotation. Other measures include encrypting all personal information, whether stored or transmitted. The company will also conduct and document annual risk assessments and develop, implement and maintain a comprehensive incident response plan for potential data security issues.