Biotech company settles for $4.5M after cybercriminals use decade-old password in massive data breach: NY AG

NEW YORK (1010 WINS/WCBS 880) – A biotech company has agreed to pay $4.5 million for failing to protect the health information of millions of Americans, including residents of New York, New Jersey, and Connecticut, according to New York Attorney General Letitia James.

James, along with the attorneys general of Connecticut and New Jersey, secured the settlement from Enzo Biochem, Inc. (Enzo), a biotechnology company that provides diagnostic testing after the company failed to “adequately safeguard the personal and private health information of its patients.”

An investigation revealed that Enzo’s inadequate data security practices led to a ransomware attack in 2023, where cybercriminals accessed Enzo’s networks using two employee login credentials. One of these credentials had not been changed in ten years, increasing the risk of a cyberattack.

Enzo will pay $2.8 million for New York and over $930,000 for New Jersey, and the company is required to enhance its data security practices.

“Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals,” James said. “Health care companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft. Data security is part of patient safety, and my office will continue to hold companies accountable when they fail to protect New Yorkers.”

The attack compromised the personal and private information of approximately 2.4 million patients, including over 1.4 million New Yorkers, exposing their names, addresses, dates of birth, phone numbers, Social Security numbers, and medical treatment/diagnosis information.

Enzo agreed to pay the penalty and implement several measures to enhance its cybersecurity. These include maintaining a comprehensive information security program to protect private information, implementing policies to limit access to personal data, using multi-factor authentication for all user accounts, enforcing strong, complex passwords and regular password rotation, encrypting all personal information both stored and transmitted, conducting and documenting annual risk assessments, and developing a comprehensive incident response plan for potential data security issues.