State AGs Secure $4.5 Million Settlement with Biochem Company to Resolve HIPAA Violations
Attorneys General in three U.S. states have agreed to a settlement with a biochemical company and its subsidiary to resolve alleged violations of the HIPAA Rules and New York business law. Enzo Clinical Labs and its parent company Enzo Biochem were investigated by New York, New Jersey, and Connecticut over a ransomware attack and data breach that affected 2.4 million individuals. The attack occurred in early April 2023 and resulted in ransomware being used to encrypt files. Two days prior to file encryption, sensitive data was exfiltrated from its systems.
The security breach was identified on April 6, 2023, when files were encrypted; however, the malicious activity was evident two days before file encryption; however, no action was taken. The ransomware gang had gained access to a server and installed malware that attempted to connect to the attacker’s server hundreds of thousands of times. Enzo’s firewall identified tens of thousands of those attempts and determined them to be malicious and blocked them; however, no alerts were generated to staff to tip them off about the intrusion.
The investigation also determined that the hackers accessed the server using the credentials of two employees. Those credentials provided administrative access and were shared by 5 employees. While it is a standard cybersecurity best practice to update credentials periodically, one set of those credentials had not been changed in the past 10 years. Steps had been taken by Enzo to protect electronic protected health information (ePHI) in transit through encryption, which was also used on portable electronic devices, but not for data at rest on servers and workstations. Encryption would not have prevented the ransomware attack, but it would have prevented the data breach.
The investigation also uncovered risk analysis and risk management issues. Enzo had arranged for a risk analysis to be conducted in November 2021, but no further risk analyses were conducted between that risk analysis and the ransomware attack. Enzo also failed to take action to correct many of the security issues identified in that risk analysis. Some of the issues in that risk analysis had been identified in its previous risk analysis in 2017 and had not been corrected.
The security failures identified during the investigation were deemed to be violations of the HIPAA Rules and New York General Business Law. Enzo was determined to have failed to comply with the following HIPAA Privacy, Security, and Breach Notification Rule provisions:
- 45 CFR § 164.308(a)(1)(i) – Policies and procedures to prevent, detect, contain, and correct security violations
- 45 CFR § 164.308(a)(1)(ii)(A) and (B) – Conduct a thorough risk analysis and reduce identified risks to a reasonable and appropriate level
- 45 CFR § 164.308(a)(1)(ii)(D) – Regular reviews of records of information system activity
- 45 CFR § 164.308(a)(4)(i) – Policies and procedures for authorizing access to ePHI
- 45 CFR § 164.308(a)(4)(ii)(B) and (C) – Procedures for granting access to ePHI, modifying right of access based on authorization policies.
- 45 CFR § 164.308(a)(5)(ii)(C) and (D) – Procedures for monitoring log-in attempts, reporting discrepancies, and creating, safeguarding, and changing passwords
- 45 CFR § 164.308(a)(8) – Periodic technical and nontechnical evaluations of security policies and procedures
- 45 CFR § 164.312(a)(1), (2)(I) and (2)(iv) – Technical policies and procedures to allow access to persons granted access rights, unique user identification, and encryption of ePHI
- 45 CFR § 164.312(b) – Controls for recording and examining activity in information systems
- 45 CFR § 164.312(d) – Verification procedures to ensure a person seeking access to ePHI is who they claim
- 45 CFR § 164.316(b) – Reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule
- 45 CFR § 164.404 – Notifications to individuals whose unsecured PHI was accessed in a breach
- GBL § 899-bb – Implementation and maintenance of reasonable security safeguards
The terms of the settlement include a $4.5 million financial penalty which will be split between New York, New Jersey, and Connecticut, and the implementation of security measures, policies, and procedures to comply with the HIPAA Rules and ensure future compliance.
