Enzo Biochem Settles Ransomware Data Breach Class Action for $7.5 Million
The Farmingdale, NY-based life sciences and diagnostics company Enzo Biochem has agreed to pay $7.5 million to settle a consolidated class action lawsuit stemming from a 2023 ransomware attack and data breach. Hackers breached its network and used ransomware to encrypt files on April 6, 2024. According to regulatory filings, Enzo Biochem determined on April 11, 2023, that there had been unauthorized access to the clinical test information of 2,470,000 individuals. The compromised data was mostly limited to names and clinical test information, although approximately one-quarter of those individuals – around 600,000 – also had their Social Security numbers compromised in the incident. The Enzo Biochem data breach was one of the largest healthcare data breaches reported in 2023.
Several Enzo Biochem class action lawsuits were proposed in response to the data breach alleging Enzo Biochem data security was substandard and Enzo Biochem was negligent by failing to implement reasonable and appropriate safeguards to protect the sensitive personal and health data it collected and stored. The Enzo Biochem lawsuit alleged hackers exploited security failures to access and steal highly sensitive data, and the incident could have been prevented if reasonable security measures had been implemented. The lawsuits were consolidated into a single action in the United States District Court for the Eastern District of New York.
Enzo Biochem agreed to settle the class action lawsuit with no admission of wrongdoing or liability and continues to deny the claims in the lawsuit. Under the terms of the Enzo Biochem settlement, class members are entitled to submit claims for reimbursement of documented, losses and out-of-pocket expenses fairly traceable to the data breach up to a maximum of $10,000. Alternatively, class members may choose to receive a cash payment – a share of the $7.5 million settlement fund after attorneys’ fees, legal costs and expenses, class representative awards, and claims have been deducted. Class members will also be provided with two years of complimentary healthcare data and credit monitoring and insurance services and Enzo Biochem has committed to implementing multifactor authentication, strengthening its password policies, encrypting consumers’ personal information, and implementing intrusion detection and prevention systems.
Enzo Biochem also paid $4.5 million to New York, New Jersey, and Connecticut to settle alleged violations of the HIPAA Rules and state laws identified during an investigation of the 2023 ransomware attack. A multi-state investigation was launched in response to the attack that determined it was a consequence of lax security. The ransomware group accessed its network using two login credentials shared by five Enzo employees, including one set of credentials that had not been updated in 10 years. Malware was installed but was not detected until ransomware was used to encrypt files since Enzo Biochem was not properly monitoring its network for unauthorized activity. A risk analysis conducted two years before the attack and a previous risk analysis in 2017 identified risks and vulnerabilities but Enzo Biochem failed to implement the recommendations mitigations.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The state attorneys general alleged that Enzo Biochem had violated many provisions of the HIPAA Security Rule and HIPAA Breach Notification Rule by failing to declare all types of compromised data in its breach notification letters, and the lax security practices violated New York General Business Law. In addition to the financial penalty, Enzo Biochem agreed to implement a raft of security measures to strengthen its security posture.
