Penalty Amount
$4,500,000
Consumers Affected
2,400,000
Connecticut Attorney General William Tong, along with New York and New Jersey attorneys general, secured a $4.5 million settlement from Enzo Biochem, Inc. for failing to protect patient health data, resulting in a ransomware attack that compromised 2.4 million patients' information. Enzo must pay the fine and implement enhanced cybersecurity measures including multi-factor authentication and annual risk assessments.
Enzo must pay $4.5 million and adopt comprehensive cybersecurity measures such as maintaining an information security program, implementing multi-factor authentication, encrypting personal information, conducting annual risk assessments, and developing an incident response plan.
In-house legal teams should review vendor agreements (especially those handling health data), customer/patient consent forms, and employee access policies for clauses related to data security, breach notification, and compliance with health data regulations. Specific clauses to examine include data protection standards, incident response timelines, audit rights, and requirements for multi-factor authentication and regular risk assessments. Given the ransomware attack stemming from poor credential management (shared, outdated logins), agreements should be updated to enforce strong authentication practices, encryption requirements, mandatory security training for personnel, and clear accountability for third-party subcontractors.
Entity
Enzo Biochem, Inc.
Also known as: Enzo Biochem
Industry
Healthcare"Enzo Biochem, Inc. (Enzo)"
"$4.5 million"
"failing to adequately safeguard the personal and private health information of its patients"
$4.5M
New York Attorney General Letitia James, along with the Attorneys General of Connecticut and New Jersey, settled with Enzo Biochem, Inc. for $4.5 million over a 2023 ransomware attack that exposed health and personal data of 2.4 million patients, including 1.4 million New York residents. The investigation found Enzo had inadequate data security practices, including shared employee login credentials, lack of multi-factor authentication, no suspicious activity monitoring, and unencrypted personal information. As part of the settlement, Enzo will pay the penalty and implement enhanced cybersecurity measures including MFA, encryption, risk assessments, and an incident response plan.
$4.5M
Enzo Biochem, Inc. agreed to pay $4.5 million and strengthen its cybersecurity practices to settle allegations that deficient data security led to a ransomware attack exposing the health data of 2.4 million patients. The multistate enforcement action was led by New Jersey with New York and Connecticut.
On May 11, 2026, Connecticut Attorney General William Tong led a bipartisan coalition of 21 attorneys general in submitting a comment letter to the U.S. Food and Drug Administration (FDA) urging the agency to abandon draft guidance that would ease approvals for flavored e-cigarette products. The coalition argues the guidance ignores evidence that flavored e-cigarettes disproportionately drive youth addiction and that FDA has failed to enforce existing authorization requirements for e-cigarette products. The letter references past tobacco and e-cigarette enforcement actions, including the 1998 tobacco master settlement agreement and the 2022 $438.5 million settlement with JUUL Labs.
Connecticut’s legislature passed House Bill 5312, creating new civil enforcement mechanisms for deepfake digital sexual assault, including unauthorized dissemination of synthetically created intimate images and AI-generated child pornography. The bill establishes a private right of action for victims and empowers the Connecticut Attorney General to pursue civil injunctions and penalties against abusers and platforms hosting illegal content. This builds on prior Connecticut laws criminalizing unauthorized intimate image dissemination.
Connecticut Attorney General William Tong praised final passage of House Bill 5312, which creates new civil enforcement mechanisms for deepfake digital sexual assault. The legislation allows the AG to pursue civil injunctions and penalties against platforms that disseminate illegal synthetic intimate images, including AI-generated child pornography, and establishes a private right of action for victims. The bill builds on prior Connecticut laws criminalizing unauthorized dissemination of intimate images.
$300K
Connecticut Attorney General William Tong announced a settlement with international trade platform Made-in-China to cease all U.S. sales of unlawful 'research grade' GLP-1 weight loss drugs following an investigation into direct sales to consumers without prescriptions or medical oversight. The settlement prohibits the platform from hosting GLP-1 sales to U.S. customers, requires a monitoring system to remove non-compliant listings, and imposes a $300,000 penalty suspended after an initial $30,000 payment. Additional settlements were announced with Radiance Medspa and Advanced Medical Weight Loss over compounded non-FDA approved GLP-1 drugs.