On August 13, 2024, the New York Attorney General (AG) published Assurance of Discontinuance No. 24-056, in which it reached a $4.5 million settlement with the Enzo Biochem, Inc. and Enzo Clinical Labs Inc. (collectively, Enzo), for violations of Health Insurance Portability and Accountability Act's (HIPAA) Security Rule and Breach Notification Rule, following a security breach.

Background to the settlement

The AG noted that in April 2023, attackers gained remote access to Enzo's private network, using at least two user accounts with administrator privileges. The attackers had access to a variety of systems and patient data, none of which were encrypted.  Additionally, the attackers installed malicious software on several of Enzo's systems, exfiltrated files, and data containing patient information, and deployed ransomware to encrypt several systems, rendering them inaccessible to Enzo. Enzo began providing notice of the breach to impacted patients on June 5, 2023.

Findings of the AG

The AG determined that at the time of the attack Enzo's data security program was deficient in several areas, including failure to:

• implement appropriate access controls and multifactor authentication (MFA) methods;
• encrypt all sensitive patient data at rest;
• put in place audit controls and monitoring;
• conduct appropriate risk management analyses and testing; and
• maintain and adhere to written information security policies.

Thus, the AG found that Enzo was in violation of §164.308(a)(1)(i), §164.308(a)(1)(ii)(A), §164.308(a)(1)(ii)(B), §164.308(a)(1)(ii)(D), §164.308(a)(4)(i), §164.308(a)(4)(ii)(B)- §164.308(a)(4)(ii)(D), §164.308(a)(8), and §164.404 of HIPAA, among others.  

Outcomes

In light of that, Enzo has agreed to pay a $4.5 million penalty, of which New York will receive $2.8 million, and adopt a series of measures, including:

• maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
• implementing and maintaining policies and procedures that limit access to personal information;
• implementing and maintaining MFA for all individual user accounts;
• establishing and maintaining policies and procedures that require using strong, complex passwords and password rotation;
• encrypting all personal information, whether stored or transmitted;
• conducting and documenting annual risk assessments; and
• developing, implementing, and maintaining a comprehensive incident response plan for potential data security issues.

You can read the assurance here and the press release here.