A biotech company recently settled with three AGs over allegations that it had failed to protect consumer information. According to the AGs of Connecticut, New York and New Jersey, this led to a 2023 data incident. The company, Enzo Biochem, agreed to pay a $4.5 million civil penalty and take several steps to modify its information security program.
According to the three states, Enzo engaged a third party to conduct a risk assessment and analysis in 2021. The focus of the assessment was the company’s compliance with the HIPAA Security Rule. The vendor identified several issues to remediate. They included encrypting PHI at rest on Enzo servers and desktops and implementing automated systems to detect network anomalies. They also recommended documenting policies and procedures and creating a formalized approach to potential risks. According to the AGs, these changes were not made.
In 2023 threat actors gained access to Enzo’s systems. The threat actors accessed and exfiltrated 2.4 million patients’ information. The information included social security numbers and medical treatment and diagnosis information. According to the AGs, the threat actors were able to move laterally throughout Enzo’s systems using the login credentials of two administrator accounts. Those credentials were shared among five employees. In addition, one of those credentials had not been changed for ten years. The AGs alleged that the company had specific security failures that resulted in the breach.
As part of the settlement, Enzo agreed to document internal and external risks to personal information and to implement reasonable safeguards for information it holds. It also agreed to test its program annually and to use vendors who can adequately safeguard personal information. It has also agreed to harden its access controls, implement multi-factor authentication, and password management processes. Enzo also agreed to submit to a third party data security assessment, the results of which it agreed to provide to the NY AG. The company also agreed to implement a variety of policies and procedures, including an incident response plan. It will also retain and make documents required under the settlement available to the AGs for at least six years.
Putting It Into Practice: The terms of this settlement, and the issues identified by the AGs in their assurance of discontinuance, highlight regulator expectations in the security space. These include identifying and documenting potential risks and having a process to address and remediate identified risks.