Hackers broke in to the network of Enzo Biochem, a New York life sciences company to steal clinical test information of nearly 2.5 million people in April. This breach is among the largest so far in 2023, a year that’s breaking records for the numbers of people affected by individual healthcare data breaches.
The breach has not been reported to HHS as of today, but Enzo revealed the incident to the Securities and Exchange Commission in an 8-K filing on May 30, 2023. The SEC requires this “current report” to announce major events that shareholders should know about.
Enzo Biochem is a life sciences and biotechnology company that performs research and provides diagnostic services and treatments for cancer, metabolic, and infectious diseases. Enzo also provides testing services for COVID-19, genetic conditions, and sexually transmitted diseases. In its SEC filing Enzo said it “incurred and may continue to incur” expenses related to the attack, including costs to remediate and investigate the incident.
Enzo reported that it remained operational by disconnecting its systems from the internet after it discovered the attack on April 11th. However, backup procedures created operational challenges and caused delays in the processing of laboratory specimens. The report also said that the hackers were able to access and exfiltrate sensitive data from the company’s systems. The data included clinical test information of 2,470,000 individuals and approximately 600,000 Social Security numbers.
Enzo is Subject to HIPAA
Enzo Biochem operates through three wholly-owned subsidiaries – Enzo Therapeutics, Enzo Life Sciences and Enzo Clinical Labs. It has direct patient relationships through its clinical lab operation and is a “clinical laboratory” subject to the Clinical Laboratory Improvement Amendments of 1988 (CLIA) according to its own SEC filings. If a clinical laboratory conducts any transactions electronically it is a Covered Entity healthcare provider subject to HIPAA. Enzo posts a HIPAA Notice of Privacy Practices on its website which is required of covered entities.
Enzo’s notice of the security incident makes it clear that the ransomware attack compromised data in its clinical laboratory operations, so Enzo will likely report the breach to HHS and notify all the affected individuals, as required by the Breach Notification Rule. In its 8-K filing Enzo stated “The Company will provide notice to the individuals whose information may have been involved, as well as to regulatory authorities, in accordance with applicable law.”
The Aftermath of a Large Breach
Breaches are expensive. In addition to the business interruption expenses, cyber investigation fees and legal expenses, Enzo will incur the costs of notifying 2.47 million patients, and defending a HIPAA investigation from the Office for Civil Rights (OCR) at HHS.
On top of these expenses will be multiple lawsuits. The first such lawsuit we are aware of was filed June 9, 2023 in federal district court in the Eastern District of New York – Epstein vs. Enzo Clinical Labs, Inc. and Lab Corporation of America Holdings. The lawsuit is a proposed class action and alleges that the defendants failed to implement adequate data security measures resulting in the April 2023 breach impacting the protected health information (PHI) of millions of patients. An internet search reveals at least one other law firm advertising for aggrieved patients to come forward to join a similar lawsuit against Enzo.
Prevention is the Best Way to Avoid Ransomware
Strong HIPAA compliance is a blueprint to prevent cybercrime, including ransomware that results in a massive breach. An annual Risk Analysis, investment in cybersecurity improvements and workforce training all pay dividends because they all shore up defenses against cyber attacks. Use the Security Rule Checklist to uncover gaps and make a plan to improve. Use other resources, like the updated StopRansomware Guide from CISA and the FBI.
Compliance and prevention are much less expensive than investigations and lawsuits that can drag on for months or years. Ask The HIPAA E-Tool® what your next steps might be.