Attorney General James Secures 45 Million from Biotech Company for Failing to Protect New Yorkers Health Data

pNEW YORK New York Attorney General Letitia James and the attorneys general of Connecticut and New Jersey today secured 45 million from Enzo Biochem Inc Enzo for failing to adequately safeguard the personal and private health information of its patients Enzo is a biotechnology company that offers patients diagnostic testing at its laboratories in New York Connecticut and New Jersey The Office of the Attorney General OAG found that Enzo had poor data security practices which led to a ransomware attack that compromised the personal and private information of approximately 24 million patients including more than 14 million New York residents As a result of todays agreement Enzo will pay 45 million of which New York will receive 28 million and will strengthen its data security practices ppGetting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals said Attorney General James Health care companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft Data security is part of patient safety and my office will continue to hold companies accountable when they fail to protect New Yorkers ppIn 2023 cyberattackers were able to access Enzos networks using two employee login credentials The OAG later found that those two login credentials were shared between five Enzo employees and one of the login credentials hadnt been changed in the last ten years putting Enzo at heightened risk of a cyberattack Once logged in the attackers installed malicious software on several of Enzos systems Enzo was not aware of the attackers activity until several days later because the company did not have a system or process in place to monitor or provide notice of suspicious activity The attackers were able to steal files and data that contained patient information for 24 million patients including 1457843 New Yorkers Information that was compromised included names addresses dates of birth phone numbers Social Security numbers and medical treatmentdiagnosis information ppAs a result of todays agreement Enzo has agreed to pay a 45 million penalty of which New York will receive 28 million and adopt a series of measures aimed at strengthening its cybersecurity practices going forward including ppAttorney General James has taken several actions to hold companies accountable for having poor cybersecurity and to improve data security practices Last month Attorney General James launched two privacy guides a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web to help businesses and consumers protect themselves In July Attorney General James issued a consumer alert to raise awareness about free credit monitoring and identity theft protection services available for millions of consumers impacted by the Change Healthcare data breach In March 2024 Attorney General James led a bipartisan coalition of 41 attorneys general in sending a letter to Meta Platforms Inc Meta addressing the recent rise of Facebook and Instagram account takeovers by scammers and frauds In April 2023 Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices In January 2022 Attorney General James released a business guide for credential stuffing attacks that detailed how businesses could protect themselves and consumersppThis matter was handled by Senior Enforcement Counsel Jordan Adler and Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology with special assistance from Internet and Technology Analyst Nishaant Goswamy under the supervision of Bureau Chief Kim Berger The Bureau of Internet and Technology is a part of the Division for Economic Justice which is led by Chief Deputy Attorney General Chris DAngelo and overseen by First Deputy Attorney General Jennifer LevyppWe value your privacyWe use cookies to enhance your browsing experience improve our content delivery and analyze our traffic We do not use cookies for advertising or marketing purposes By using this website you consent to our use of cookies You can learn more about how we collect and use information by reviewing our privacy policyp