Penalty Amount
$4,500,000
Consumers Affected
2,400,000
New York Attorney General Letitia James, along with the Attorneys General of Connecticut and New Jersey, settled with Enzo Biochem, Inc. for $4.5 million over a 2023 ransomware attack that exposed health and personal data of 2.4 million patients, including 1.4 million New York residents. The investigation found Enzo had inadequate data security practices, including shared employee login credentials, lack of multi-factor authentication, no suspicious activity monitoring, and unencrypted personal information. As part of the settlement, Enzo will pay the penalty and implement enhanced cybersecurity measures including MFA, encryption, risk assessments, and an incident response plan.
Enzo must pay a total $4.5 million penalty, with $2.8 million allocated to New York and the remainder to Connecticut and New Jersey. Enzo is required to implement and maintain a comprehensive information security program including: access controls for personal information, multi-factor authentication for all user accounts, strong password policies with regular rotation, encryption of all personal information at rest and in transit, annual documented risk assessments, and a comprehensive incident response plan.
In-house legal teams should review all vendor agreements with healthcare and biotechnology service providers, particularly those handling personal or health information, to ensure they include mandatory multi-factor authentication, data encryption (both at rest and in transit), and robust access controls. Contracts should require vendors to conduct annual risk assessments, maintain comprehensive information security programs, and have documented incident response plans. Additionally, agreements should mandate strong password policies with regular rotation, and specify breach notification timelines and requirements. For vendors handling health data, ensure compliance with applicable health data security standards is explicitly required.
Entity
Enzo Biochem, Inc.
Also known as: Enzo Biochem
Industry
HealthcareOfficial Press Release
https://ag.ny.gov/press-release/2024/attorney-general-james-secures-45-million-biotech-company-failing-protect-new
enzo biochem aod 2024
https://ag.ny.gov/sites/default/files/settlements-agreements/enzo-biochem-aod-2024.pdf
New York Attorney General Enforcement Page
https://ag.ny.gov/press-releases
"Enzo Biochem, Inc. (Enzo)"
"Enzo has agreed to pay a $4.5 million penalty"
"August 13, 2024"
"New York Attorney General Letitia James"
"As a result of today’s agreement, Enzo has agreed to pay a $4.5 million penalty"
"the OAG found that Enzo had poor data security practices, which led to a ransomware attack that compromised the personal and private information of approximately 2.4 million patients"
$4.5M
Connecticut Attorney General William Tong, along with New York and New Jersey attorneys general, secured a $4.5 million settlement from Enzo Biochem, Inc. for failing to protect patient health data, resulting in a ransomware attack that compromised 2.4 million patients' information. Enzo must pay the fine and implement enhanced cybersecurity measures including multi-factor authentication and annual risk assessments.
$4.5M
Enzo Biochem, Inc. agreed to pay $4.5 million and strengthen its cybersecurity practices to settle allegations that deficient data security led to a ransomware attack exposing the health data of 2.4 million patients. The multistate enforcement action was led by New Jersey with New York and Connecticut.
New York Attorney General Letitia James issued a consumer alert on May 18, 2026, warning businesses against engaging in price gouging on transportation services during the Long Island Rail Road strike. The alert reminds businesses that New York’s price gouging laws prohibit unconscionable price increases on essential goods and services during market disruptions, with potential penalties of up to $25,000 per violation. No specific enforcement action against a particular entity was announced, only a general warning for businesses and a call for consumers to report suspected price gouging.
New York Attorney General Letitia James issued a consumer alert on May 18, 2026, warning residents of potential price gouging by transportation service providers during the Long Island Rail Road strike. The alert reminds businesses that New York’s price gouging laws prohibit unconscionable price increases on essential services like transportation during market disruptions. No specific privacy violations or enforcement actions against individual entities were announced in the alert.
This press release announces New York Attorney General Letitia James leading a coalition of 21 state attorneys general, the District of Columbia, and Pennsylvania’s Governor in filing an amicus brief with the U.S. Supreme Court to stay a Fifth Circuit ruling that would reinstate in-person dispensing requirements for mifepristone, a medication used for abortion. The coalition argues the ruling is scientifically unsupported, would restrict telehealth access to reproductive care, and undermines state sovereignty over abortion policy post-Dobbs. This is not a privacy-related enforcement action, as the content addresses reproductive health policy rather than data privacy violations.
$5.0M
New York Attorney General Letitia James secured a $5 million settlement from cryptocurrency platform Uphold HQ, Inc. for promoting Cred’s fraudulent CredEarn investment product as safe and reliable, when Cred was making risky loans to uncreditworthy borrowers in China. Uphold also falsely claimed Cred had comprehensive insurance and promoted the product without registering as a broker or commodity broker-dealer under New York law. As part of the settlement, Uphold will pay $5 million to harmed investors, remit $545,189 from Cred’s bankruptcy to customers, improve due diligence policies for third-party products, and register as a broker with the OAG.