Data Breach of Lab Testing Company Exposed Health Information of About 331,600 New Jerseyans
For Immediate Release: August 13, 2024
Office of the Attorney General
– Matthew J. Platkin, Attorney General
Division of Consumer Affairs
– Cari Fais, Acting Director
Division of Law
– Michael T.G. Long, Director
For Further Information:
Media Inquiries-
Allison Inserro, OAGpress@njoag.gov
TRENTON – Attorney General Matthew J. Platkin and the Attorneys General of New York and Connecticut today secured $4.5 million from Enzo Biochem, Inc., for failing to adequately safeguard the personal and private health information of its patients.
Enzo is a biotechnology company that offered patients diagnostic testing at its laboratories in New York, Connecticut, and New Jersey. An investigation found that Enzo had deficient data security practices, which led to a 2023 ransomware attack that compromised the personal and private information of approximately 2.4 million patients nationwide, including about 331,600 New Jersey residents.
As a result of the agreement, Enzo will pay $4.5 million, of which New Jersey will receive more than $930,000, and will strengthen its data security practices.
“It is stunning that as recently as last year, this healthcare company apparently did not abide by basic security precautions for online accounts, such as instructing its employees not to share passwords,” said Attorney General Platkin. “Businesses of all kinds, and especially healthcare firms, must make robust cybersecurity a top priority. Poor data security and privacy practices make it easy for cybercriminals to exploit technological vulnerabilities and gain access to sensitive health information.”
“It is the right of every New Jersey resident to have their private health information protected from the reach of malicious actors,” said Division of Consumer Affairs Acting Director Cari Fais. “The Division is committed to ensuring that businesses implement strong information security measures and holding businesses accountable when they fail to take proper precautions to safeguard consumers’ data.”
In 2023, cyber-attackers were able to access Enzo’s networks using two employee login credentials. The multistate investigation later found that those two login credentials were shared between five Enzo employees and one of the login credentials hadn’t been changed in the last ten years, putting Enzo at heightened risk of a cyberattack.
Once logged in, the attackers installed malicious software on several of Enzo’s systems. However, Enzo was not aware of the attackers’ activity until several days later because the company did not have a system or process in place to monitor or provide notice of suspicious activity.
Consequently, the attackers were able to steal files and data that contained patient information for 2.4 million patients, including names, addresses, dates of birth, phone numbers, Social Security numbers, and medical treatment/diagnosis information.
The multistate coalition alleged that the breach violated the Health Insurance Portability and Accountability Act as well as the New Jersey Consumer Fraud Act, which prohibits unfair and deceptive practices.
In addition to the financial penalties, Enzo agreed to adopt a series of measures aimed at strengthening its cybersecurity practices going forward, including:
- Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
- Implementing and maintaining policies and procedures that limit access to personal information;
- Implementing and maintaining multi-factor authentication for all individual user accounts;
- Establishing and maintaining policies and procedures that require using strong, complex passwords and password rotation;
- Encrypting all personal information, whether stored or transmitted;
- Conducting and documenting annual risk assessments; and
- Developing, implementing, and maintaining a comprehensive incident response plan for potential data security issues.
The State was represented by Deputy Attorneys General Verna J. Pradaxay and Ethan B. Rubin, under the supervision of Section Chief Kashif T. Chand and Assistant Section Chief Thomas Huynh of the Data Privacy & Cybersecurity Section, within the Affirmative Civil Enforcement Practice Group of the Division of Law. The investigation into this matter was conducted by Investigator Aziza Salikhova of the Office of Consumer Protection, within the Division of Consumer Affairs.
To learn more about cyber safety in New Jersey, visit the Cyber Safe NJ website of the Division of Consumer Affairs.
###