New York Attorney General Letitia James, along with the attorneys general of Connecticut and New Jersey, has secured $4.5 million from Enzo Biochem, Inc. (Enzo) for failing to adequately safeguard patient health information. Enzo, a biotechnology company providing diagnostic testing in laboratories across New York, Connecticut, and New Jersey, was found by the Office of the Attorney General (OAG) to have poor data security practices. These deficiencies led to a ransomware attack compromising the personal and private information of approximately 2.4 million patients, including over 1.4 million New York residents.
“Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals,” said Attorney General James. “Health care companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft. Data security is part of patient safety, and my office will continue to hold companies accountable when they fail to protect New Yorkers.”
In 2023, cyber-attackers accessed Enzo’s networks using two employee login credentials shared among five employees; one credential had not been changed in ten years. The attackers installed malicious software on several systems undetected for days due to inadequate monitoring processes at Enzo. The breach exposed names, addresses, dates of birth, phone numbers, Social Security numbers, and medical treatment/diagnosis information for 2.4 million patients.
As part of the agreement reached today, Enzo will pay a $4.5 million penalty—$2.8 million going to New York—and implement measures to strengthen its cybersecurity practices:
- Maintaining a comprehensive information security program
- Implementing policies limiting access to personal information
- Using multi-factor authentication for user accounts
- Establishing strong password policies
- Encrypting all personal information
- Conducting annual risk assessments
- Developing an incident response plan
Attorney General James has actively pursued actions against companies with poor cybersecurity practices while promoting improved data security measures. Recently launched initiatives include privacy guides for businesses and consumers as well as alerts about free credit monitoring services following significant data breaches.
This case was managed by Senior Enforcement Counsel Jordan Adler and Deputy Bureau Chief Clark Russell from the Bureau of Internet and Technology with assistance from Analyst Nishaant Goswamy under Bureau Chief Kim Berger's supervision.