Biotech company hacked in 2023 pays states $4.5 million over breached data

Three state governments have announced a $4.5 million payment from Enzo Biochem — a biotech company that suffered a ransomware attack in April 2023 — for failing to protect the diagnostic test information and personal data of nearly 2.5 million people.

The attorneys general of New York, New Jersey and Connecticut announced the agreement on Tuesday with the New York-based company, which had reported the incident to the federal government in late May of 2023.

A subsequent investigation led by New York’s Office of the Attorney General (OAG) found that the unspecified attackers accessed Enzo’s networks using two employee login credentials. 

“The OAG later found that those two login credentials were shared between five Enzo employees and one of the login credentials hadn’t been changed in the last ten years, putting Enzo at heightened risk of a cyberattack,” the OAG said. The company also did not use multi-factor authentication for remote access to email, investigators said.

Recorded Future News has reached out to Enzo for a response to the agreement. 

No ransomware group has been publicly associated with the attack. 

The attorneys general said Enzo has agreed to several measures intended to strengthen its cybersecurity, such as adding multi-factor authentication to all employee accounts and updating other security policies and programs. The company will conduct and document annual risk assessments and develop and implement an incident response plan.

“Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals,” said New York Attorney General Letitia James. “Health care companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft.”

New York state will receive the majority of the payment — $2.8 million. Nearly 1.5 million New Yorkers had their data exposed in the incident.