Penalty Amount
$4,500,000
Consumers Affected
2,400,000
Enzo Biochem, Inc. agreed to pay $4.5 million and strengthen its cybersecurity practices to settle allegations that deficient data security led to a ransomware attack exposing the health data of 2.4 million patients. The multistate enforcement action was led by New Jersey with New York and Connecticut.
Enzo must pay $4.5 million and implement a comprehensive information security program, including multi-factor authentication, strong passwords, encryption, annual risk assessments, and an incident response plan.
In-house legal teams should prioritize reviewing all agreements involving the handling of protected health information (PHI), particularly Business Associate Agreements (BAAs) with vendors and service providers, customer contracts for laboratory services, and employee data access agreements. Key clauses to scrutinize include data security obligations (e.g., encryption, access controls), breach notification timelines and procedures (ensuring alignment with HIPAA's 60-day requirement and stricter state laws), audit rights to verify vendor security practices, indemnification provisions covering data breach costs, and restrictions on subprocessors. Given the settlement's focus on deficient cybersecurity leading to a ransomware attack, contracts may need amendments to mandate specific security frameworks (e.g., NIST), require regular penetration testing and risk assessments, shorten breach notification windows beyond HIPAA minimums, and incorporate state-specific compliance certifications (e.g., New Jersey Consumer Fraud Act).
Entity
Enzo Biochem, Inc.
Also known as: Enzo Biochem
Industry
HealthcareOfficial Press Release
https://www.njoag.gov/attorney-general-platkin-and-multistate-coalition-secure-4-5-million-from-enzo-biochem-for-failing-to-protect-health-data/
2024 0813 Enzo NJ Consent Order DCA Executed
https://www.nj.gov/oag/newsreleases24/2024-0813_Enzo-NJ-Consent-Order-DCA-Executed.pdf
New Jersey Attorney General Enforcement Page
https://www.njoag.gov/about/divisions-and-offices/division-of-consumer-affairs/
"Enzo Biochem, Inc."
"$4.5 million"
"Health Insurance Portability and Accountability Act"
"New Jersey Consumer Fraud Act"
"failing to adequately safeguard the personal and private health information of its patients"
"approximately 2.4 million patients nationwide"
$4.5M
Connecticut Attorney General William Tong, along with New York and New Jersey attorneys general, secured a $4.5 million settlement from Enzo Biochem, Inc. for failing to protect patient health data, resulting in a ransomware attack that compromised 2.4 million patients' information. Enzo must pay the fine and implement enhanced cybersecurity measures including multi-factor authentication and annual risk assessments.
$4.5M
New York Attorney General Letitia James, along with the Attorneys General of Connecticut and New Jersey, settled with Enzo Biochem, Inc. for $4.5 million over a 2023 ransomware attack that exposed health and personal data of 2.4 million patients, including 1.4 million New York residents. The investigation found Enzo had inadequate data security practices, including shared employee login credentials, lack of multi-factor authentication, no suspicious activity monitoring, and unencrypted personal information. As part of the settlement, Enzo will pay the penalty and implement enhanced cybersecurity measures including MFA, encryption, risk assessments, and an incident response plan.
$100K
New Jersey Attorney General Jennifer Davenport and the Division of Consumer Affairs announced a Consent Order with King Distribution LLC and 17 related retail smoke shops, resolving allegations that the companies illegally sold flavored vapor products in violation of New Jersey’s consumer protection laws. The Consent Order imposes a $100,000 civil penalty, requires reimbursement of $22,279 in investigation costs, and prohibits the companies from selling or distributing flavored vapor products in New Jersey. The enforcement action is part of New Jersey’s ongoing efforts to protect youth from flavored vape products, which have been permanently banned in the state since January 2020.
The New Jersey Bureau of Securities issued a Cease and Desist Order on April 30, 2026, against Titan Macro Finance for operating an investment fraud scheme via WhatsApp and Instagram that defrauded at least one New Jersey investor of $64,000. The scheme involved unregistered broker-dealer activity, fake trading profits, and undisclosed fees to access investor funds. The action was coordinated with the California Department of Financial Protection and Innovation, which issued a similar order against the entity for violating California’s Commodity Code.
New Jersey Attorney General Jennifer Davenport and the Bureau of Securities issued a public warning to state residents about fraudulent investment schemes proliferating on Meta-owned platforms including Facebook, Instagram, and WhatsApp. The alert details common scam tactics such as pump-and-dump schemes, confidence scams, and fraudulent cryptocurrency offerings, and provides tips for residents to avoid victimization. No enforcement action against any entity was announced in this release.
New Jersey Attorney General Jennifer Davenport led a bipartisan coalition of 27 state attorneys general in submitting a comment letter to the Federal Trade Commission urging federal rulemaking to regulate hidden and deceptive rental housing fees. The AG also issued guidance clarifying New Jersey’s new $50 rental application fee cap, effective May 1, 2026, warning that deceptive fee practices may violate the New Jersey Consumer Fraud Act. No specific enforcement action against a named individual entity was announced, with enforcement of the fee cap set to begin May 1, 2026.