$4.5M Settlement for Health Data Breach Impacting Over 331k New Jerseyans

Data Breach of Lab Testing Company Exposed Health Information of About 331,600 New Jerseyans.Photo byMorristown Minute

A ransomware attack exposed the personal health information of over 331,600 New Jersey residents, prompting legal action and strengthened cybersecurity measures.

MORRISTOWN, N.J. - Attorney General Matthew J. Platkin, alongside the Attorneys General of New York and Connecticut, announced a $4.5 million settlement with Enzo Biochem, Inc., a biotechnology company, for failing to protect the personal and private health information of its patients. The settlement follows an investigation into a 2023 ransomware attack that compromised the data of approximately 2.4 million patients nationwide, including 331,600 in New Jersey.

“It is stunning that as recently as last year, this healthcare company apparently did not abide by basic security precautions for online accounts, such as instructing its employees not to share passwords,” said Attorney General Platkin. “Businesses of all kinds, and especially healthcare firms, must make robust cybersecurity a top priority. Poor data security and privacy practices make it easy for cybercriminals to exploit technological vulnerabilities and gain access to sensitive health information.”

“It is the right of every New Jersey resident to have their private health information protected from the reach of malicious actors,” said Division of Consumer Affairs Acting Director Cari Fais. “The Division is committed to ensuring that businesses implement strong information security measures and holding businesses accountable when they fail to take proper precautions to safeguard consumers’ data.”

Enzo Biochem, which provided diagnostic testing at laboratories in New York, Connecticut, and New Jersey, was found to have inadequate data security practices. The breach occurred when cyber attackers accessed Enzo's networks using two employee login credentials. Shockingly, these credentials were shared among five employees, and one had not been updated in a decade, making Enzo particularly vulnerable to such attacks.

Once inside the system, the attackers installed malicious software on several of Enzo’s servers. Due to the absence of effective monitoring systems, Enzo did not detect the breach for several days, allowing the attackers to steal files containing sensitive patient information, including names, addresses, dates of birth, phone numbers, Social Security numbers, and medical treatment and diagnosis details.

The investigation concluded that Enzo’s failures violated the Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act, which prohibits unfair and deceptive practices.

As part of the settlement, Enzo will pay $4.5 million, with New Jersey receiving over $930,000. Additionally, Enzo has agreed to implement comprehensive cybersecurity measures to prevent future breaches.

These measures include:

• Maintaining a comprehensive information security program to protect private information.
• Implementing policies and procedures to limit access to personal data.
• Adopting multi-factor authentication for all user accounts.
• Establishing policies that require strong, complex passwords and regular password rotation.
• Encrypting all personal information during storage and transmission.
• Conducting annual risk assessments.
• Developing and maintaining a comprehensive incident response plan for data security issues.

Attorney General Platkin emphasized the importance of safeguarding patient data and holding companies accountable for failing to protect such sensitive information. This settlement serves as a reminder of the critical need for robust cybersecurity practices in the healthcare industry.

For more information on protecting yourself from cyber threats, visit the Cyber Safe NJ website hosted by the Division of Consumer Affairs.

For updates, subscribe to our free newsletter!

Support your local news!