Cybersecurity breach costs Enzo Biochem $4.5 million

Enzo Biochem has agreed to pay $4.5 million to settle claims that it failed to protect sensitive patient data, leading to a significant cyberattack in April 2023. The breach compromised the personal and health information of approximately 2.4 million patients, including Social Security numbers and health histories. The settlement, announced by New York Attorney General Letitia James, involves payments to New York, New Jersey, and Connecticut.

The attack was made possible by shared login credentials among Enzo employees, including one password that hadn’t been updated in ten years. The attackers installed malware on the company’s systems, which went undetected for several days due to insufficient monitoring. The company has since taken steps to enhance its security measures, such as enforcing stronger passwords, implementing two-factor authentication, and improving its response plan for future incidents.

Enzo began notifying affected patients in June 2023. The breach impacted 1.46 million New Yorkers, including 405,000 whose Social Security numbers were compromised. New York will receive $2.8 million from the settlement. Attorney General James emphasised the importance of protecting patient information, particularly in the context of medical services.

Enzo Biochem has not commented on the settlement. The company previously exited the clinical lab testing business in August of the previous year. The settlement marks a significant reminder of the importance of robust cybersecurity protocols in protecting sensitive data.