In This Article:
Biotech company Enzo Biochem will pay $4.5m to settle regulatory charges for its poor security processes leading to a cyberattack in April 2023, according to New York's attorney general.
The attack compromised the patient data of 2.4 million patients including social security numbers and health histories as well as other patient information.
The settlement made yesterday (13 August) with New York, New Jersey and Connecticut resolved claims that Enzo did not adequately safeguard patients' personal and private health information, said New York attorney general Letitia James.
"Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals" James said in a statement.
Enzo Biochem, which develops, manufactures and markets products for clinical research, drug development and medical research, began alerting patients to the breach in June 2023.
Documents signed by the company reveal that cyber criminals accessed the organisation’s network with two log-in credentials that were shared by five Enzo employees – one that had not changed in a decade.
Malware was installed onto several systems by attackers which went undetected for several days as the manufacturer did not monitor for suspicious activity at the time.
Prior to and as part of the settlement, Enzo is increasing its cyber security measures including stronger password requirements, two-factor authentication, encrypting personal information, and developing a plan to respond faster to cyberattacks – proving that simple tactics for cyber defense can still be effective.
Approximately 1.46 million New York patients were affected including 405,000 with compromised social security numbers, the scale of data breach means New York is set to receive $2.8m from the settlement.
The attorney general decision comes a week after Mary Tagliaferri MD resigned from her position on the Board of Directors for Enzo to pursue other opportunities.
Enzo is yet to comment on the settlement.
"Enzo Biochem to pay $4.5m for leaked healthcare data due to lax security" was originally created and published by Verdict, a GlobalData owned brand.
The information on this site has been included in good faith for general informational purposes only. It is not intended to amount to advice on which you should rely, and we give no representation, warranty or guarantee, whether express or implied as to its accuracy or completeness. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content on our site.