A recent data breach at a medical testing company allegedly exposed the personal data of more than 2.5 million customers across multiple states, including here in Connecticut.

According to a Class Action complaint filed in the U.S. District Court of New York last week, millions of patients may have had their information stolen during a ransomware attack on Enzo Clinical Labs, a company also based in New York. That breach was confirmed by Enzo in a statement posted to the company website. The same information was also mailed to patients whose information was compromised.

In the notice, Enzo states that the company became aware of a data breach and ransomware attack on April 6th of this year and that the hackers had access to their systems for three days. The attackers were able to steal personal information including names, laboratory results, and in some cases social security numbers. They claim that payment information was not among data stolen.

An alert about the breach was also posted to DataBreaches.net, a site that tracks such attacks, which listed the number of Social Security Numbers stolen at 600,000.

The complaint was filed on behalf of a Boston woman named Eliana Epstein “and approximately 2.5 million Class Members” who were reportedly also victims of the breach. In it, Epstein claims that she never did business with Enzo directly and assumes that a healthcare provider she did work with contracted with the company, sharing her personal information with them.

The complaint does not list the states in which affected patients live but CII is aware of at least one Connecticut resident whose information was included in the breach and who is also unaware of ever doing business with Enzo directly.

In addition to concerns over how Enzo came to be in possession of her information, the complaint also raises concerns over the company’s ability to properly secure that data, as well as their handling of the breach. Through the complaint, Epstein expresses her own upset that Enzo took two months to begin notifying affected patients of the breach, time during which their information was vulnerable.

Ransomware attacks have become extremely common in the last few years, thanks in part to the ease with which these attacks can be carried out with access to the right tools. Healthcare providers, meanwhile, are prime targets for ransomware attackers. They sometimes have less robust IT systems and have a high incentive to pay the ransom to regain control of systems and protect patient data. 

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services have issued warnings to healthcare and public health organizations in the past to be aware of increased attacks against their systems using a variety of ransomware services. They have also issued advice and instructions on best practices to these sectors.

For this reason, the Class Action complaint against Enzo also alleges that the company should have been more prepared for such attacks and should have taken greater steps to secure its systems and patient information.

Enzo, for its part, has provided credit monitoring and identity theft protection services to those whose Social Security Numbers were compromised. The complaint, however, argues that this is not enough to make up for the damage inflicted by the breach.

Creative Commons License

Republish our articles for free, online or in print, under a Creative Commons license.

An Emmy and AP award-winning journalist, Tricia has spent more than a decade working in digital and broadcast media. She has covered everything from government corruption to science and space to entertainment...

Leave a comment

Your email address will not be published. Required fields are marked *