Biotech company hacked in 2023 pays states $4.5 million over breached data

Avatar

Three state governments have announced a $4.5 million payment from Enzo Biochem — a biotech company that suffered a ransomware attack in April 2023 — for failing to protect the diagnostic test information and personal data of nearly 2.5 million people.

The attorneys general of New York, New Jersey and Connecticut announced the agreement on Tuesday with the New York-based company, which had reported the incident to the federal government in late May of 2023.

A subsequent investigation led by New York’s Office of the Attorney General (OAG) found that the unspecified attackers accessed Enzo’s networks using two employee login credentials. 

“The OAG later found that those two login credentials were shared between five Enzo employees and one of the login credentials hadn’t been changed in the last ten years, putting Enzo at heightened risk of a cyberattack,” the OAG said. The company also did not use multi-factor authentication for remote access to email, investigators said.

Recorded Future News has reached out to Enzo for a response to the agreement. 

No ransomware group has been publicly associated with the attack. 

The attorneys general said Enzo has agreed to several measures intended to strengthen its cybersecurity, such as adding multi-factor authentication to all employee accounts and updating other security policies and programs. The company will conduct and document annual risk assessments and develop and implement an incident response plan.

“Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals,” said New York Attorney General Letitia James. “Health care companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft.”

New York state will receive the majority of the payment — $2.8 million. Nearly 1.5 million New Yorkers had their data exposed in the incident.

CybercrimeGovernmentNewsNews BriefsPrivacy
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.

 

Total
0
Shares
Previous Post

Media, activists, former US diplomat were on Russia-aligned phishing campaigns’ hit lists

Next Post

RansomHub Group Deploys New EDR-Killing Tool in Latest Cyber Attacks

Related Posts

Critical NVIDIA Container Toolkit Vulnerability Could Grant Full Host Access to Attackers

A critical security flaw has been disclosed in the NVIDIA Container Toolkit that, if successfully exploited, could allow threat actors to break out of the confines of a container and gain full access to the underlying host. The vulnerability, tracked as CVE-2024-0132, carries a CVSS score of 9.0 out of a maximum of 10.0. It has been addressed in NVIDIA Container Toolkit version v1.16.2 and
Avatar
Read More