Enzo Biochem Settles HIPAA Violations with State Attorneys General for $4.5 Million
New York Attorney General Letitia James has announced that a settlement has been agreed with the New York-based biotechnology company Enzo Biochem and its subsidiary Enzo Clinical Labs (Enzo) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and state law. Under the terms of the settlement, Enzo will pay a $4.5 million civil monetary penalty and has agreed to strengthen its cybersecurity practices.
The New York Attorney General, assisted by the New Jersey and Connecticut Attorneys General, launched an investigation of Enzo following a report of an April 2023 data security incident. Hackers gained access to an Enzo database server that was used for analytics and reporting, exfiltrated data relating to testing between October 2012 and April 2023, and then used ransomware to encrypt files. In total, around 2.4 million patients had their data stolen in the attack, including 1,457,843 New York residents.
The hackers used the login credentials of two Enzo employees to access the server. The investigation found that those login administrative-level credentials had been shared between 5 employees and one of those sets of credentials had not been changed for 10 years. After accessing the network, the hackers installed malware, which started attempting to connect to remote servers on April 4, 2023. The malware made hundreds of thousands of attempts to connect to remote servers, and tens of thousands of those attempts were blocked by Enzo’s firewall; however, there was no system or process in place to monitor or provide notice of the suspicious activity, so Enzo personnel did not identify the activity. Had a system been in place to alert personnel about the malicious activity, it may have been possible to prevent the exfiltration of sensitive data and file encryption on April 5, 2023. Enzo only detected the attack when ransomware encrypted files, preventing access.
The Office of the New York Attorney General (OAG) determined that the last security risk assessment was conducted by a vendor in November 2021. The vendor identified several risks to Enzo’s information systems and made several recommendations to address the vulnerabilities, but no action was taken to implement those recommendations prior to the April 2023 ransomware attack.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The vendor identified a lack of HIPAA Security Rule policies and procedures, and those gaps predated a 2017 security risk assessment that had also identified those gaps. The vendor found that the process for evaluating potential risks to information systems was informal, and while encryption had been implemented for ePHI in transit and on mobile devices, ePHI was not encrypted at rest on servers and workstations. There was also no automated detection system, with reviews of user and network activity for anomalies conducted manually.
The OAG investigation identified several security deficiencies that contributed to the attack. They included a lack of appropriate access controls and authentication measures, such as multi-factor authentication for email, unique credentials for all users, procedures for updating credentials, the deletion of unused accounts, and a failure to restrict access to resources and data necessary for job function.
Encryption had not been fully implemented to protect sensitive data at rest, there was a lack of controls for recording and reviewing records of user activity, a failure to conduct risk analyses and testing of the security of its systems, a failure to maintain and adhere to written security policies, and a failure to notify individuals about a breach of their ePHI. These failures were determined to have violated 12 provisions of the HIPAA Privacy, Security, and Breach Notification Rules, and also New York’s General Business Law.
In addition to paying the financial; penalty, Enzo is required to strengthen its cybersecurity practices. The settlement agreement stipulates maintaining a comprehensive information security program, implementing policies and procedures to limit access to personal information, implementing multi-factor authentication on user accounts, updating its password policies, encrypting all personal information, conducting and documenting annual risk assessments, and ensuring a comprehensive incident response plan is developed, implemented, and maintained.
“Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals,” said Attorney General James. “Health care companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft. Data security is part of patient safety, and my office will continue to hold companies accountable when they fail to protect New Yorkers.”
