The Office of the New York State Attorney General
announced on August 13 that Letitia James, along with the Attorneys General of Connecticut and New Jersey, fined Enzo Biochem, Inc. $4.5 million for failing to adequately safeguard its patients’ health data.
Enzo conducts drug research and development, and provides diagnostic services. In 2023, hackers accessed Enzo’s networks using two employee login credentials. The credentials were shared among five Enzo employees and one set of credentials had not been changed for 10 years. The hackers installed malicious software on Enzo’s systems, stealing files and data concerning 2.4 million patients, including names, addresses, birth dates, phone numbers, social security numbers, and health information. Enzo did not become aware of the breach for several days because it lacked a system to monitor suspicious activity.
In addition to the $4.5 million penalty, Enzo has agreed to adopt a series of safeguards to strengthen its cybersecurity going forward.
This settlement is only the latest example of the New York Attorney General’s focus on enforcing cybersecurity.
