New York-based biotechnology firm Enzo Biochem has provided a $4.5 million settlement to New York, New Jersey, and Connecticut to resolve its alleged security failings following an April 2023 ransomware attack that impacted almost 2.5 million individuals' personal and diagnostic test data, according to The Record, a news site by cybersecurity firm Recorded Future.
Most of the settlement will be given to New York, which had almost 1.5 million residents affected by the incident, which was found by the state's Office of the Attorney General to have stemmed from the compromise of two Enzo employee credentials that have been unchanged in a decade, as well as the lack of any multi-factor authentication protections for email access. Aside from the monetary penalty, Enzo has committed to implementing MFA across all employee accounts, strengthening security programs, and adopting an incident response plan and annual risk evaluations. "Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals. Healthcare companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft," said New York Attorney General Letitia James.
