Violation of HIPAA Security Rule = Violation of NY SHIELD Act

On August 13, 2024, the New York Attorney General announced a settlement agreement, along with the Attorneys General of Connecticut and New Jersey, with Enzo Biochem Inc. and its subsidiary corporation, Enzo Clinical Labs, Inc., regarding a security incident that occurred in April of 2023.  The settlement includes a $4.5 million payment to be divided among the three Attorneys General, as well as a series of actions Enzo must undertake relating to privacy and security.  Notably, according to the agreement, Enzo had not implemented several security measures identified in a third party vendor HIPAA risk assessment in 2021, which may have prevented or minimized the impact of the 2023 incident and illustrates the importance of timely remediation of security gaps.  Furthermore, entities covered by HIPAA and the SHIELD Act should keep in mind that the New York Attorney General may pursue enforcement actions based on potential violations of HIPAA, as the agreement found that Enzo violated the HIPAA Security Rule and Breach Notification Rule and that these violations would also constitute a violation of New York’s SHIELD Act.  The agreement expressly states that it “is not intended, and should not be construed, as an admission of liability by” defendants, and they do not admit or deny the findings in the agreement.

Read more here.