NEW YORK – The state of New York announced Wednesday that Enzo Biochem will pay $4.5 million for a 2023 data breach involving 2.4 million patient records across three states.
The $4.5 million will be shared by New York state, Connecticut, and New Jersey.
"Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals," New York Attorney General Letitia James said in a statement. "Health care companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft. Data security is part of patient safety, and my office will continue to hold companies accountable when they fail to protect New Yorkers."
The New York attorney general's investigation found that Farmingdale, New York-based Enzo was using two employee login credentials shared by five employees, and one of the credentials had not been changed in 10 years.
The cyberattackers were able to obtain a login and install malicious software, the attorney general's office said, and a lack of monitoring resulted in the theft going unnoticed for several days.
The attackers ultimately obtained names, addresses, dates of birth, phone numbers, Social Security numbers, and medical treatment and diagnosis information, the attorney general's office said.
In addition to the fine, Enzo has also agreed to strengthen its data security by limiting access to personal information, using multi-factor authentication, strong passwords, and data encryption, conducting risk assessments, and implementing incident response plans.
Enzo completed the sale of its clinical lab division to Laboratory Corporation of America in March 2023 as part of a restructuring initiative to focus on life science drug discovery and research products and services.