New York Attorney General Letitia James has reported reaching a settlement with biotechnology firm Enzo Biochem in New York and Enzo Clinical Labs, its subsidiary, to resolve alleged state law and HIPAA Security Rule violations. According to the settlement, Enzo is going to pay $4.5 million as civil penalty and improve its cybersecurity strategies.
An investigation into Enzo by the New York Attorney General, together with the Attorneys General of Connecticut and New Jersey was prompted by a reported data security breach in April 2023. Attackers accessed a database server that Enzo used for analytics and reporting, extracted data associated with testing from October 2012 to April 2023, and then deployed ransomware to encrypt files. The attack and data theft affected approximately 2.4 million patients, including 1,457,843 residents of New York.
The hackers accessed the server using the login credentials of two Enzo employees. The investigation revealed that five employees are sharing these administrative-level credentials, and one set remain unchanged for 10 years. On April 4, 2023, the hackers installed malware on the server, then used the malware to make thousands of attempts to connect to the remote servers. Enzo’s firewall blocked most of these attempts, but the company had no system that monitors or alerts personnel to the suspicious activity. As a result, the malicious activity went undetected until ransomware encrypted files, preventing access, on April 5, 2023. If there was an alert system set up, the theft of sensitive data and file encryption could have been stopped.
Based on the investigation by the Office of the New York Attorney General (OAG), Enzo’s last security risk assessment was carried out by a company in November 2021. While the company found several risks to data systems and provided recommendations to deal with these vulnerabilities, Enzo failed to implement the recommendations before the ransomware attack occurred in April 2023.
The company stated that Enzo lacked compliance with the HIPAA Security Rule guidelines and procedures, noting that these issues had been present since a 2017 security risk assessment. The vendor noticed that the process for analyzing potential risks to data systems was relaxed. Although encryption was applied to electronic protected health information (ePHI) in transit and on mobile units, ePHI remained unencrypted at rest on servers and workstations. Additionally, Enzo does not have any automated detection system. Reviews of anomalies in user and system activity were done manually.
The investigation of OAG uncovered the following security issues related to Enzo’s access controls and authentication procedures that contributed to the cyberattack:
- no multi-factor authentication for email
- not unique user login credentials
- lacking SOP for changing credentials
- non-removal of unused accounts
- unrestricted access to resources and information according to job position
- not fully encrypted sensitive data at rest
- inadequate controls for logging and monitoring user activity
The investigation also found that Enzo failed to do regular risk analyses and testing of system security. Written security policies are not followed strictly. Individuals whose electronic protected health information (ePHI) are affected by a breach are not notified promptly.
These shortcomings were found to violate the HIPAA Privacy, Security, and Breach Notification Law and New York’s General Business Law. Enzo needs to pay the financial penalty and improve its cybersecurity procedures. The settlement agreement requires Enzo to maintain a detailed data security program, put into practice policies and procedures to restrict personal data access, enforce multi-factor authentication on user accounts, revise its password guidelines, encrypt all personal data, perform and record annual risk evaluations, and develop, apply, and keep a detailed incident response plan.
When patients get blood work or medical care, their personal and health data should not be stolen by cybercriminals. Healthcare providers like Enzo that fail to prioritize data privacy put patients at in danger of fraud and identity theft. Data security is important to patient safety, and the Attorney General’s office will surely make companies responsible when they do not take care of New Yorkers.
