The life sciences and diagnostics firm Enzo Biochem based in Farmingdale, NY has consented to pay $7.5 million to resolve a combined class action lawsuit associated with a ransomware attack and data security breach in 2023. Hackers accessed its system and encrypted files using ransomware on April 6, 2024. As per regulatory filings, Enzo Biochem discovered on April 11, 2023, unauthorized access to its database of clinical test data involving 2,470,000 persons. The breached information included names and clinical test data, though the Social Security numbers of around one-fourth of the affected people, or about 600,000 were also compromised during the attack.
A few class action lawsuits were filed because of the data breach claiming that Enzo Biochem was negligent in not implementing reasonable and proper safety measures to secure the sensitive personal data and health information it received and kept. Hackers took advantage of those security problems and stole highly sensitive information. The lawsuits were combined into one action in the United States District Court for the Eastern District of New York.
Enzo Biochem did not admit wrongdoing or liability but agreed to resolve the class action lawsuit. The terms of settlement state that class members are eligible to file claims for refund of documented, losses and out-of-pocket costs reasonably connected to the data breach as much as $10,000. Class members may instead opt for a cash payment, a part of the $7.5 million settlement fund after deducting lawyers’ service fees, legal costs and expenditures, claims, and class representative awards. Enzo Biochem will also provide class members with free credit monitoring and insurance services for two years. Aside from the financial penalty, the firm is required to implement some security measures including implementing multifactor authentication, updating its password guidelines, encrypting consumers’ personal data, and putting in place attack detectors and prevention programs.
Enzo Biochem spent $4.5 million for settlement with Connecticut, New York, and New Jersey resolving alleged state laws and HIPAA Rules violations discovered during the 2023 ransomware attack investigation. The multi-state investigation of the attack confirmed that it was because of poor security. The ransomware group gained access to its system by using two login credentials used by five Enzo workers, with one set of login credentials used without being updated for 10 years. Hackers were able to install malware without being detected until files were encrypted using ransomware because Enzo Biochem failed to correctly monitor its system for unauthorized activity. Two years before the attack, Enzo Biochem conducted a risk analysis. Before this risk analysis, one was done in 2017, which discovered risks and vulnerabilities; however, Enzo Biochem did not carry out the recommended mitigations.
The state attorneys general claimed that Enzo Biochem had broken numerous terms of the HIPAA Security Rule. It also violated the HIPAA Breach Notification Rule as its breach notification letters did not mention the types of data exposed in the attack. Its poor security standards fail to comply with the New York General Business Law.
Image credits: ©Enzo Biochem / angel_nt, AdobeStock
