Publication
Global rules on foreign direct investment (FDI)
Cross-border acquisitions and investments increasingly trigger foreign direct investment (FDI) screening requirements.
Global | Publication | August 2024
Enzo Biochem (“Enzo”) is a biotechnical company, and its subsidiary offered diagnostic testing until August of 2023, when it exited the business. Enzo is subject to HIPAA and, in November 2021, one of its vendors issued a report on a HIPAA risk assessment. The report identified several risks to Enzo’s systems and contained several recommendations to address them. For example, the report stated that some of Enzo’s servers and workstations did not encrypt HIPAA-covered protected health information (“PHI”) while the data was at rest. The vendor report also found that Enzo did not use automated processes for detection of security and network anomalies. According to paragraph 13 of the agreement, the vendor’s recommendations “were not implemented prior to the data security incident in April of 2023.”
According to the agreement, in early April of 2023, threat actors infiltrated Enzo’s network by using “login credentials to two [Enzo] administrator accounts [that] were shared among five [Enzo] employees and the credentials associated with one of these accounts had not been changed for ten years.” The threat actors obtained unencrypted patient information and launched some malware. According to paragraph 4 of the agreement:
Over the course of two days, the software made hundreds of thousands of attempts to connect to these servers. Enzo’s firewall identified tens of thousands of these connection attempts as malicious and blocked them. However, Enzo personnel did not become aware of the attackers’ activity until several days later because Enzo did not have a system or process in place to monitor for, or provide notice of, suspicious activity.
The threat actors encrypted Enzo’s files on April 5, which Enzo discovered on April 6. On April 6, Enzo engaged legal counsel, which engaged a cybersecurity firm to conduct an investigation. Enzo provided the cybersecurity firm with its logging from the time of the incident, which unfortunately was limited because Enzo did not maintain comprehensive records of user and network activity. The Enzo database server that contained the threat actor’s tools also included files with a variety of patient information, including patient names, dates of birth, addresses, phone numbers, Social Security numbers, and medical treatment/diagnosis information. Although the investigator could not prove or disprove that threat actors accessed those patient files, Enzo provided notice to the consumers. Paragraph 11 of the agreement states:
Enzo began providing notice of the breach to impacted patients on June 5, 2023. The notice listed several types of information that could have been accessed or acquired in the incident, including name, date of service, clinical test information and social security number, but did not disclose that certain patients’ address, phone number, date of birth, and gender information were also exfiltrated.
(Note: the excluded items are not specific data elements listed as “private information” in NY Gen. Bus. Law § 899-aa(b)(1) but they could be “personal information,” which that law defines as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”)
Paragraph 22 of the agreement lists 10 sections of the HIPAA Security Rule and two sections of the HIPAA Breach Notification Rule that the New York Attorney General claims Enzo violated (ranging from sections requiring Enzo to conduct risk analyses, establish access procedures, and provide “notification of individuals whose unsecured PHI is accessed as the result of a breach, including a description of the types of unsecured PHI involved in the breach”). Then Paragraph 23 reads in full:
Enzo’s conduct also violated GBL § 899-bb, which requires implementation and maintenance of reasonable safeguards to protect consumer information.
In other words, the violations of the HIPAA Security Rule and Breach Notification Rule constitute violations of New York’s SHIELD Act.
The agreement requires Enzo to take a variety of actions focused on information security, personal information safeguards, annual assessments, policies and procedures, incident response plan, identity theft protection to all affected individuals, and the $4.5 million payment. Among the information security safeguards, Enzo must:
Select service providers capable of appropriately safeguarding Consumer Personal Information, contractually require service providers to implement and maintain appropriate safeguards to protect Consumer Personal Information, and take appropriate steps to verify service providers are complying with the contractual requirements; (emphasis supplied)
The agreement lists a number of safeguards for personal information (access and authentication controls, account audit, multi-factor authentication, password management, encryption, asset inventory, risk assessment program, penetration testing, segmentation, data loss/exfiltration prevention, monitoring and logging, intrusions detection and prevention solution, and endpoint detection and response solution). There must also be a third-party assessment of the information security program, with the results provided to the attorney general, for each of the next three years. We are seeing a renewed emphasis by state Attorneys General on vendor management and meaningful supervision in the wake of the increase in third-party incidents.
With respect to consumer notice in the event of a security incident, the agreement incorporates the definition of “personal information” listed above plus HIPAA’s definition of PHI (collectively, “Personal Information”) and requires:
If the Respondent determines Consumer Personal Information has been, or is reasonably likely to have been, accessed or acquired without authorization, Respondent shall expediently provide each Consumer whose Personal Information has been, or is reasonably believed to have been, accessed or acquired without authorization, by email or letter or other legally valid forms of substitute notice established under New York law, material information concerning the Security Event that is reasonably individualized to the customer including, at a minimum, the timing of the Security Event, whether the Consumer’s Personal Information was accessed or acquired without authorization, what Personal Information was accessed or acquired, and what actions have been taken to protect the Consumer. If necessary in order to provide expedient notice to Consumers, Respondent may provide more than one notice that collectively provide all material information.
This matter provides several takeaways:
Publication
Cross-border acquisitions and investments increasingly trigger foreign direct investment (FDI) screening requirements.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023