State AGs Secure $4.5 Million Settlement with Biochem Company to Resolve HIPAA Violations
Attorneys General in three U.S. states have agreed to a settlement with a biochemical company and its subsidiary to resolve alleged violations of the HIPAA Rules and New York business law.ย Enzo Clinical Labs and its parent company Enzo Biochem were investigated by New York, New Jersey, and Connecticut over a ransomware attack and data breach that affected 2.4 million individuals. The attack occurred in early April 2023 and resulted in ransomware being used to encrypt files. Two days prior to file encryption, sensitive data was exfiltrated from its systems.
The security breach was identified on April 6, 2023, when files were encrypted; however, the malicious activity was evident two days before file encryption; however, no action was taken. The ransomware gang had gained access to a server and installed malware that attempted to connect to the attackerโs server hundreds of thousands of times. Enzoโs firewall identified tens of thousands of those attempts and determined them to be malicious and blocked them; however, no alerts were generated to staff to tip them off about the intrusion.
The investigation also determined that the hackers accessed the server using the credentials of two employees. Those credentials provided administrative access and were shared by 5 employees. While it is a standard cybersecurity best practice to update credentials periodically, one set of those credentials had not been changed in the past 10 years.ย Steps had been taken by Enzo to protect electronic protected health information (ePHI) in transit through encryption, which was also used on portable electronic devices, but not for data at rest on servers and workstations. Encryption would not have prevented the ransomware attack, but it would have prevented the data breach.
The investigation also uncovered risk analysis and risk management issues. Enzo had arranged for a risk analysis to be conducted in November 2021, but no further risk analyses were conducted between that risk analysis and the ransomware attack. Enzo also failed to take action to correct many of the security issues identified in that risk analysis. Some of the issues in that risk analysis had been identified in its previous risk analysis in 2017 and had not been corrected.
The security failures identified during the investigation were deemed to be violations of the HIPAA Rules and New York General Business Law. Enzo was determined to have failed to comply with the following HIPAA Privacy, Security, and Breach Notification Rule provisions:
- 45 CFR ยง 164.308(a)(1)(i) โ Policies and procedures to prevent, detect, contain, and correct security violations
- 45 CFR ยง 164.308(a)(1)(ii)(A) and (B) โ Conduct a thorough risk analysis and reduce identified risks to a reasonable and appropriate level
- 45 CFR ยง 164.308(a)(1)(ii)(D) โ Regular reviews of records of information system activity
- 45 CFR ยง 164.308(a)(4)(i) โ Policies and procedures for authorizing access to ePHI
- 45 CFR ยง 164.308(a)(4)(ii)(B) and (C) โ Procedures for granting access to ePHI, modifying right of access based on authorization policies.
- 45 CFR ยง 164.308(a)(5)(ii)(C) and (D) โ Procedures for monitoring log-in attempts, reporting discrepancies, and creating, safeguarding, and changing passwords
- 45 CFR ยง 164.308(a)(8) โ Periodic technical and nontechnical evaluations of security policies and procedures
- 45 CFR ยง 164.312(a)(1), (2)(I) and (2)(iv) โ Technical policies and procedures to allow access to persons granted access rights, unique user identification, and encryption of ePHI
- 45 CFR ยง 164.312(b) โ Controls for recording and examining activity in information systems
- 45 CFR ยง 164.312(d) โ Verification procedures to ensure a person seeking access to ePHI is who they claim
- 45 CFR ยง 164.316(b) โ Reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule
- 45 CFR ยง 164.404 โ Notifications to individuals whose unsecured PHI was accessed in a breach
- GBL ยง 899-bb โ Implementation and maintenance of reasonable security safeguards
The terms of the settlement include a $4.5 million financial penalty which will be split between New York, New Jersey, and Connecticut, and the implementation of security measures, policies, and procedures to comply with the HIPAA Rules and ensure future compliance.