Enzo Biochem, Inc., (NYSE: ENZ) a biotechnology company specializing in diagnostic testing services, has agreed to a $4.5 million settlement following a cyberattack in April 2023 that exposed the personal and health information of approximately 2.4 million patients. The settlement was negotiated after an investigation uncovered severe deficiencies in the company’s data security practices.
A key finding of the investigation was that two login credentials, shared among five employees, had not been updated or changed in over a decade. This outdated and insecure practice created a significant vulnerability, making it easy for cybercriminals to infiltrate Enzo’s systems and steal sensitive data, including Social Security numbers and medical histories.
Compounding these issues, the company’s failure to implement effective monitoring systems allowed the attackers to remain undetected for several days, which significantly worsened the breach’s impact.
Why It Matters: This year has seen a disturbing rise in cyberattacks targeting healthcare facilities and laboratories responsible for safeguarding patient data. Enzo Biochem is the latest victim, now facing substantial financial and reputational damage due to its outdated and insufficient security practices. Their story of negligence should serve as a cautionary tale to others. Beyond the massive fine, this breach raises a critical concern: future patients may begin to question whether a routine diagnostic test could come with the hidden risk of having their personal information exposed to cybercriminals.
- Data Breach Details: In April 2023, a cyberattack on Enzo Biochem compromised the personal information of 2.4 million patients. The breach was facilitated by shared and outdated employee login credentials, which allowed attackers to install malware and access sensitive data undetected for several days.
- Settlement Breakdown: Enzo Biochem has agreed to pay $4.5 million to settle regulatory charges brought by the attorney generals of New York, New Jersey, and Connecticut. New York will receive $2.8 million of the settlement, with the remaining amount distributed between New Jersey and Connecticut.
- Cybersecurity Failures: The investigation revealed significant lapses in Enzo’s data security, including the absence of multi-factor authentication, inadequate password management, and a lack of real-time monitoring systems to detect unauthorized access.
- Broader Implications: This case is part of a larger effort by the state’s attorney general Letitia James to improve data security practices across various industries, highlighting the increasing regulatory scrutiny on companies that handle sensitive information.
Enzo Biochem to Pay $4.5 Million over Cyberattack, NY Attorney General says – AOL.com