Press Releases

Attorney General William Tong

08/13/2024

Attorney General Tong Joins Multistate Coalition to Secure $4.5 Million from Biotech Company for Failing to Protect Health Data

(Hartford, CT) – Attorney General William Tong, along with the attorneys general of New York and New Jersey, today secured $4.5 million from Enzo Biochem, Inc. (Enzo) for failing to adequately safeguard the personal and private health information of its patients. Enzo is a biotechnology company that offered patients diagnostic testing at its laboratories in Connecticut, New Jersey, and New York.

An investigation found that Enzo had poor data security practices, which led to a ransomware attack that compromised the personal and private information of approximately 2.4 million patients, including more than 193,000 Connecticut residents. As a result of today’s agreement, Enzo will pay $4.5 million, of which Connecticut will receive $743,110.76.

“Through our comprehensive investigation, we found that Enzo failed to safeguard sensitive data of thousands of Connecticut residents, including Social Security numbers and clinical test information,” said Attorney General Tong. “This agreement sends a strong message to companies that we will hold them accountable if they fail to take reasonable measures to protect consumers’ information.”

In 2023, cyber-attackers were able to access Enzo’s networks using two employee login credentials. The investigation later found that those two login credentials were shared between five Enzo employees and one of the login credentials hadn’t been changed in the last ten years, putting Enzo at heightened risk of a cyberattack. Once logged in, the attackers installed malicious software on several of Enzo’s systems. Enzo was not aware of the attackers’ activity until several days later because the company did not have a system or process in place to monitor or provide notice of suspicious activity. The attackers were able to steal files and data that contained patient information for 2.4 million patients. Information that was compromised included names, addresses, dates of birth, phone numbers, Social Security numbers, and medical treatment/diagnosis information.

As a result of today’s agreement, Enzo has also agreed to adopt a series of measures aimed at strengthening its cybersecurity practices going forward, including:

• Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;

• Implementing and maintaining policies and procedures that limit access to personal information;

• Implementing and maintaining multi-factor authentication for all individual user accounts;

• Establishing and maintaining policies and procedures that require using strong, complex passwords and password rotation;

• Encrypting all personal information, whether stored or transmitted;

• Conducting and documenting annual risk assessments; and

• Developing, implementing, and maintaining a comprehensive incident response plan for potential data security issues.

Assistant Attorneys General Laura Martella and Kileigh Nassau, as well as Deputy Associate Attorney General and Privacy Section Chief Michele Lucan, assisted the Attorney General in this matter.

Twitter: @AGWilliamTong
Facebook: CT Attorney General
Media Contact:

Elizabeth Benton
elizabeth.benton@ct.gov

Consumer Inquiries:

860-808-5318
attorney.general@ct.gov