Biotech company hacked in 2023 pays states $4.5 million over breached data

Avatar

Three state governments have announced a $4.5 million payment from Enzo Biochem — a biotech company that suffered a ransomware attack in April 2023 — for failing to protect the diagnostic test information and personal data of nearly 2.5 million people.

The attorneys general of New York, New Jersey and Connecticut announced the agreement on Tuesday with the New York-based company, which had reported the incident to the federal government in late May of 2023.

A subsequent investigation led by New York’s Office of the Attorney General (OAG) found that the unspecified attackers accessed Enzo’s networks using two employee login credentials. 

“The OAG later found that those two login credentials were shared between five Enzo employees and one of the login credentials hadn’t been changed in the last ten years, putting Enzo at heightened risk of a cyberattack,” the OAG said. The company also did not use multi-factor authentication for remote access to email, investigators said.

Recorded Future News has reached out to Enzo for a response to the agreement. 

No ransomware group has been publicly associated with the attack. 

The attorneys general said Enzo has agreed to several measures intended to strengthen its cybersecurity, such as adding multi-factor authentication to all employee accounts and updating other security policies and programs. The company will conduct and document annual risk assessments and develop and implement an incident response plan.

“Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals,” said New York Attorney General Letitia James. “Health care companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft.”

New York state will receive the majority of the payment — $2.8 million. Nearly 1.5 million New Yorkers had their data exposed in the incident.

CybercrimeGovernmentNewsNews BriefsPrivacy
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.

 

Total
0
Shares
Previous Post

Media, activists, former US diplomat were on Russia-aligned phishing campaigns’ hit lists

Next Post

RansomHub Group Deploys New EDR-Killing Tool in Latest Cyber Attacks

Related Posts

Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024. The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech
Avatar
Read More

Anatomy of an Attack

In today's rapidly evolving cyber threat landscape, organizations face increasingly sophisticated attacks targeting their applications. Understanding these threats and the technologies designed to combat them is crucial. This article delves into the mechanics of a common application attack, using the infamous Log4Shell vulnerability as an example, and demonstrates how Application Detection and
Avatar
Read More