Molecular diagnostics company Enzo Biochem, Inc. has reached settlements resolving investigations in relation to a 2023 data breach by the attorneys general (AG) for Connecticut, New Jersey, and New York. Enzo has agreed to pay the states a total of $4.5 million, as well as institute and maintain new data security protocols.

Announced on August 13, Enzo’s settlements with Connecticut, New Jersey, and New York allege that the company violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and applicable provisions of state law, including New Jersey’s Consumer Fraud Act and New York’s General Business Law.

The AGs’ statements on the settlements alleged that Enzo is a biotechnology company that offered patients diagnostic testing at laboratories in Connecticut, New Jersey, and New York and that, in a 2023 ransomware attack, cyber-attackers were able to access Enzo’s networks using two employee login credentials to steal files and data that included the names, addresses, dates of birth, phone numbers, Social Security numbers, and medical treatment/diagnosis information for approximately 2.4 million patients.

According to the AGs, the two login credentials were shared between five Enzo employees and one set of credentials had not been changed in 10 years. Once logged in, the attackers allegedly installed malicious software on several of Enzo’s systems. The AGs alleged that Enzo did not become aware of the attackers’ activity until several days later because the company did not have a system or process in place to monitor or provide notice of suspicious activity.

In her statement announcing the settlement, New York AG Letitia James asserted that more than 1.4 million New Yorkers were affected by the breach. In his announcement, New Jersey AG Matt Platkin said 331,600 residents from his state had been affected. Connecticut AG William Tong claimed 193,000 Connecticut residents were affected. Of the $4.5 million imposed in the settlements, New York will receive $2.8 million, New Jersey will receive approximately $930,000, and Connecticut will receive $743,000.

Enzo made no admission of wrongdoing in reaching the settlements.

Why It Matters

Enzo’s settlements underscore the importance of maintaining updated data governance protocols, including the prohibitions on shared login credentials and mandated, frequent updates to such credentials.


Troutman Pepper State Attorneys General Team

Ashley Taylor – Co-leader and Firm Vice Chair
Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation.
Clay Friedman – Co-leader
Clayton is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice, multidisciplinary teams with decades of experience crafting effective strategies to help deter or mitigate the risk of enforcement actions and litigation.
Judy Jagdmann
Judy is a partner in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based in the Richmond office. She brings experience serving as chair and commissioner of the Virginia State Corporate Commission (VSCC) from 2006 through 2022, which includes regulating the utilities, insurance, banking, and securities industries. She also served as Virginia’s attorney general from 2005-2006.
Stephen Piepgrass
Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on enforcement actions, investigations, and litigation. Stephen primarily represents clients engaging with, or being investigated by, state attorneys general and other state or local governmental enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, with a particular focus on heavily regulated industries.
Michael Yaghi
Michael is a partner in the firm’s State Attorneys General and Regulatory Investigations, Strategy + Enforcement (RISE) Practice Groups, nationwide teams that advise clients on consumer protection enforcement matters and other regulatory issues.
Samuel E. “Gene” Fishel
Gene is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) practice, based in the Richmond office. He brings extensive regulatory experience, having most recently served as senior assistant attorney general and chief of the Computer Crime Section in the Office of the Attorney General of Virginia, and as special assistant U.S. attorney in the Eastern District of Virginia for 20 years.
Tim Bado
Tim is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, where he represents corporations and individuals facing potential civil and criminal exposure. Tim’s experience in government investigations, enforcement actions, and white-collar litigation spans a number of industries, including financial services, pharmaceutical, health care, and government contracting, among others.
Chris Carlson
Chris Carlson represents clients in regulatory, civil and criminal investigations and litigation. In his practice, Chris regularly employs his prior regulatory experience to benefit clients who are interacting with and being investigated by state attorneys general.
Blake R. Christopher
Blake collaborates with clients on matters related to government contracting, investigations, and disputes. His senior-level government experience generates valuable insights and strategies for clients across a variety of industries.
Natalia Jacobo
Natalia is an associate in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice. She focuses her practice on two primary areas: government contracting and state attorney general work.
Namrata Kang
Namrata (Nam) is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. She routinely advises clients on a wide variety of state and federal regulatory matters, with a particular emphasis on state consumer protection laws relating to consumer financial services and marketing and advertising.
Michael Lafleur
Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general.
Susan Nikdel
Susan is an associate in the firm’s Consumer Financial Services Practice Group, and focuses her practice on consumer financial services matters. She has defended several of the nation’s largest and most influential financial institutions in individual and class action litigation involving the Telephone Consumer Protection Act (TCPA), Fair Credit Reporting Act (FCRA), Fair Debt Collection Practices Act (FDCPA), and other consumer privacy statutes.
Whitney Shephard
Whitney is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. She represents clients facing state and federal regulatory investigations and enforcement actions, as well as related civil litigation.
Trey Smith
Trey is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice. He focuses his practice on helping financial institutions and consumer facing companies navigate regulatory investigations and resulting litigation.
Daniel Waltz
Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on his broad experience as a former assistant attorney general for the state of Illinois, Daniel is a problem solver both inside and outside the courtroom.
Stephanie Kozol
Stephanie is Troutman Pepper’s senior government relations manager in the state attorneys general department.