Biotech firm settles class action lawsuit over ransomware attack for $7.5 million

Avatar

A large biotech company decided to settle a class action lawsuit for $7.5 million after facing backlash for a ransomware attack that exposed the diagnostic test information and personal data of nearly 2.5 million people.

Enzo Biochem filed a report to the U.S. Securities and Exchange Commission on Wednesday evening announcing a settlement to conclude the civil suit.

The company was hit with ransomware in April 2023 in an attack that it said involved the “unauthorized access to or acquisition of clinical test information of approximately 2,470,000 individuals,” it said previously. The company was able to maintain operations but discovered on April 11, 2023, that names, test information, and approximately 600,000 Social Security numbers were accessed.

In a new filing, Enzo Biochem said the $7.5 million settlement fund “provides for the full and final release of the Company and its subsidiaries from any and all claims.” The company also noted that it previously committed to “make certain upgrades to its data protection systems, which have been made.”

The settlement comes after Enzo Biochem agreed last year to pay three state governments $4.5 million for the same ransomware attack. 

An investigation led by New York’s Office of the Attorney General (OAG) found that the attackers — who were never identified and never came forward publicly — accessed Enzo’s networks using two employee login credentials. 

“The OAG later found that those two login credentials were shared between five Enzo employees and one of the login credentials hadn’t been changed in the last ten years, putting Enzo at heightened risk of a cyberattack,” the OAG said. The company also did not use multi-factor authentication for remote access to email, investigators said.

Enzo Biochem warned investors in 2023 that it would likely face financial penalties from regulators and lawsuits in relation to the ransomware attack. The company reported fiscal 2022 revenue of $32.6 million and is well-known for being one of the first biotechnology companies to go public. 

Healthcare organizations are facing increasing scrutiny for ransomware attacks that expose patient data. 

The U.S. Department of Health and Human Services (HHS) has secured eight settlements related to ransomware attacks on healthcare industry companies. 

The department said ransomware has become one of the primary threats to healthcare and provided data showing a 264% increase since 2018 in large breaches involving ransomware that were reported to its Office for Civil Rights.

IndustryNewsCybercrime
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Ransomware sanctions, software security among key points in new Biden executive order

Next Post

US issues sanctions against companies in Laos, China tied to North Korean IT worker scheme

Related Posts

U.S. Sanctions North Korean Andariel Hacker Behind Fraudulent IT Worker Scheme

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on Tuesday sanctioned a member of a North Korean hacking group called Andariel for their role in the infamous remote information technology (IT) worker scheme. The Treasury said Song Kum Hyok, a 38-year-old North Korean national with an address in the Chinese province of Jilin, enabled the fraudulent operation by using
Avatar
Read More

The AI-Powered Security Shift: What 2025 Is Teaching Us About Cloud Defense

Now that we are well into 2025, cloud attacks are evolving faster than ever and artificial intelligence (AI) is both a weapon and a shield. As AI rapidly changes how enterprises innovate, security teams are now tasked with a triple burden: Secure AI embedded in every part of the business. Use AI to defend faster and smarter. Fight AI-powered threats that execute in minutes—or seconds. Security
Avatar
Read More