Violation of HIPAA Security Rule = Violation of NY SHIELD Act

Background

Enzo Biochem (“Enzo”) is a biotechnical company, and its subsidiary offered diagnostic testing until August of 2023, when it exited the business.  Enzo is subject to HIPAA and, in November 2021, one of its vendors issued a report on a HIPAA risk assessment.  The report identified several risks to Enzo’s systems and contained several recommendations to address them.  For example, the report stated that some of Enzo’s servers and workstations did not encrypt HIPAA-covered protected health information (“PHI”) while the data was at rest.  The vendor report also found that Enzo did not use automated processes for detection of security and network anomalies.  According to paragraph 13 of the agreement, the vendor’s recommendations “were not implemented prior to the data security incident in April of 2023.”

According to the agreement, in early April of 2023, threat actors infiltrated Enzo’s network by using “login credentials to two [Enzo] administrator accounts [that] were shared among five [Enzo] employees and the credentials associated with one of these accounts had not been changed for ten years.”  The threat actors obtained unencrypted patient information and launched some malware.  According to paragraph 4 of the agreement:

Over the course of two days, the software made hundreds of thousands of attempts to connect to these servers. Enzo’s firewall identified tens of thousands of these connection attempts as malicious and blocked them. However, Enzo personnel did not become aware of the attackers’ activity until several days later because Enzo did not have a system or process in place to monitor for, or provide notice of, suspicious activity.

The threat actors encrypted Enzo’s files on April 5, which Enzo discovered on April 6.  On April 6, Enzo engaged legal counsel, which engaged a cybersecurity firm to conduct an investigation. Enzo provided the cybersecurity firm with its logging from the time of the incident, which unfortunately was limited because Enzo did not maintain comprehensive records of user and network activity.  The Enzo database server that contained the threat actor’s tools also included files with a variety of patient information, including patient names, dates of birth, addresses, phone numbers, Social Security numbers, and medical treatment/diagnosis information.  Although the investigator could not prove or disprove that threat actors accessed those patient files, Enzo provided notice to the consumers.  Paragraph 11 of the agreement states:

Enzo began providing notice of the breach to impacted patients on June 5, 2023.  The notice listed several types of information that could have been accessed or acquired in the incident, including name, date of service, clinical test information and social security number, but did not disclose that certain patients’ address, phone number, date of birth, and gender information were also exfiltrated.

(Note:  the excluded items are not specific data elements listed as “private information” in NY Gen. Bus. Law § 899-aa(b)(1) but they could be “personal information,” which that law defines as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”)

Paragraph 22 of the agreement lists 10 sections of the HIPAA Security Rule and two sections of the HIPAA Breach Notification Rule that the New York Attorney General claims Enzo violated (ranging from sections requiring Enzo to conduct risk analyses, establish access procedures, and provide “notification of individuals whose unsecured PHI is accessed as the result of a breach, including a description of the types of unsecured PHI involved in the breach”).  Then Paragraph 23 reads in full:

Enzo’s conduct also violated GBL § 899-bb, which requires implementation and maintenance of reasonable safeguards to protect consumer information.

In other words, the violations of the HIPAA Security Rule and Breach Notification Rule constitute violations of New York’s SHIELD Act. 

The agreement requires Enzo to take a variety of actions focused on information security, personal information safeguards, annual assessments, policies and procedures, incident response plan, identity theft protection to all affected individuals, and the $4.5 million payment.  Among the information security safeguards, Enzo must:

Select service providers capable of appropriately safeguarding Consumer Personal Information, contractually require service providers to implement and maintain appropriate safeguards to protect Consumer Personal Information, and take appropriate steps to verify service providers are complying with the contractual requirements; (emphasis supplied)

The agreement lists a number of safeguards for personal information (access and authentication controls, account audit, multi-factor authentication, password management, encryption, asset inventory, risk assessment program, penetration testing, segmentation, data loss/exfiltration prevention, monitoring and logging, intrusions detection and prevention solution, and endpoint detection and response solution).  There must also be a third-party assessment of the information security program, with the results provided to the attorney general, for each of the next three years.  We are seeing a renewed emphasis by state Attorneys General on vendor management and meaningful supervision in the wake of the increase in third-party incidents.

With respect to consumer notice in the event of a security incident, the agreement incorporates the definition of “personal information” listed above plus HIPAA’s definition of PHI (collectively, “Personal Information”) and requires:

If the Respondent determines Consumer Personal Information has been, or is reasonably likely to have been, accessed or acquired without authorization, Respondent shall expediently provide each Consumer whose Personal Information has been, or is reasonably believed to have been, accessed or acquired without authorization, by email or letter or other legally valid forms of substitute notice established under New York law, material information concerning the Security Event that is reasonably individualized to the customer including, at a minimum, the timing of the Security Event, whether the Consumer’s Personal Information was accessed or acquired without authorization, what Personal Information was accessed or acquired, and what actions have been taken to protect the Consumer. If necessary in order to provide expedient notice to Consumers, Respondent may provide more than one notice that collectively provide all material information.

Lessons Learned

This matter provides several takeaways:

1. If your company conducts a risk assessment or is the subject of a third-party risk assessment, be sure to document what actions have been taken in response to any recommended actions.  It is not enough simply to do the assessment, you need to take appropriate actions and remediate the issues discovered by the assessment.  This requires not only budgeting for the assessment, but prioritizing and budgeting for any necessary remediation.
2. Because cyber incidents necessarily implicate an organization’s legal obligations, a company’s Incident Response Team should be co-led by its Information Security lead and its cyber counsel (often the Chief Privacy Officer or designee).  The organization should engage retained counsel who will hire the necessary third party resources including forensic investigators.  Note, if a company hires the third party resources directly, without retained counsel, courts and regulators may see that action as outside the scope of the investigation and as part of the company’s ordinary course of business and available for scrutiny (and, thus, weaken any privilege claims).
3. Consider your company’s record retention practices with respect to information security records.  Had Enzo retained comprehensive user and network activity, its forensic investigator may have been able to determine whether the data impacted in the 2023 incident was actually subject to unauthorized access.
4. If a security incident requires notice to consumers, keep in mind the very broad definition of “personal information” that the New York Attorney General used in this agreement when deciding how to describe the affected information in the consumer notice letter.  Even where personal information may not trigger a notification requirement, the New York Attorney General may expect that any additional affected personal data elements be included in the notice to consumers where private information sufficient to trigger notification is impacted.
5. The New York AG clearly found that violations of HIPAA’s regulations constituted violations of the New York SHIELD Act under this agreement.  Although HIPAA does not include a private right of action, it does permit state attorneys general to enforce, so this action could be the harbinger for any HIPAA-covered entities subject to the New York SHIELD Act. (Note that New York’s SHIELD act includes a HIPAA exception, but only for entities that are in compliance with HIPAA’s requirements.)