Old and shared employee passwords led to a stunning data breach at a healthcare company that compromised patient data for over 331,000 New Jersey residents, according to New Jersey Attorney General Mathew Platkin.

Platkin's office announced a multi-state settlement with New York-based Enzo Biochem, which provided diagnostic testing at laboratories in New York, Connecticut, and New Jersey.

A data breach in 2023 exposed the personal data of over 2.4 million people in the U.S., including 331,600 people in New Jersey, according to Platkin.

As a result of the agreement, Platkin says Enzo will pay a $4.5 million penalty to New Jersey, New York, and Connecticut, and has agreed to strengthen its data security practices.

New Jersey will receive more than $930,000 under the terms of the agreement.

A 'stunning' lack of security

A.G. Platkin says their investigation revealed cyber-attackers were able to access Enzo’s networks using two employee login credentials.

Those credentials, Platkin says, were shared between five Enzo employees.

One of the passwords used in the cyberattack has not been changed for at least ten years.

"It is stunning that as recently as last year, this healthcare company apparently did not abide by basic security precautions for online accounts, such as instructing its employees not to share passwords,” Platkin said in a statement, "Businesses of all kinds, and especially healthcare firms, must make robust cybersecurity a top priority. Poor data security and privacy practices make it easy for cybercriminals to exploit technological vulnerabilities and gain access to sensitive health information."

Once the cybercriminals were logged in using the employee credentials, they installed malicious software on several of Enzo’s systems.

They were then able to steal patient information that included: names, addresses, dates of birth, phone numbers, Social Security numbers, and medical treatment/diagnosis information.

Due to a lack of system monitoring, Enzo did not become aware of the attack for several days, according to Platkin.

Promises to enhance security

Under the terms of the settlement, Enzo has admitted to wrongdoing but has agreed to a number of security enhancements.

These include:

✔ Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information
✔ Implementing and maintaining policies and procedures that limit access to personal information
✔ Implementing and maintaining multi-factor authentication for all individual user accounts
✔ Establishing and maintaining policies and procedures that require using strong, complex passwords and password rotation
✔ Encrypting all personal information, whether stored or transmitted
✔ Conducting and documenting annual risk assessments
✔ Developing, implementing, and maintaining a comprehensive incident response plan for potential data security issues

“It is the right of every New Jersey resident to have their private health information protected from the reach of malicious actors,” said Division of Consumer Affairs Acting Director Cari Fais.

“The Division is committed to ensuring that businesses implement strong information security measures and holding businesses accountable when they fail to take proper precautions to safeguard consumers’ data.”

The biggest private info breaches in NJ health care

As of August 2023, these are the top data breaches reported by hospitals and health care institutions in New Jersey in the past 24 months. These cases are under investigation by the Office for Civil Rights of U.S. Department of Health and Human Services.

Gallery Credit: New Jersey 101.5

The 10 best and 10 worst states to retire

For their 2024 report, Bankrate.com analyzed factors such as cost of living, health care and crime to rank the 50 states as places where you might want to consider retirement. Visit this link for the complete report.

Gallery Credit: Bankrate/New Jersey 101.5

More From WPG Talk Radio 95.5 FM