Enzo Biochem, Inc. has reached a $4.5 million settlement to resolve allegations of cybersecurity failures that led to a significant data breach in April 2023. The breach exposed the personal and health information of approximately 2.4 million patients, including sensitive data such as Social Security numbers and medical histories. The settlement follows investigations by the attorneys general of New York, New Jersey, and Connecticut, who uncovered serious deficiencies in Enzo’s data security protocols.
The breach was traced back to a series of security lapses, including the use of outdated and shared employee login credentials. An investigation revealed that these credentials had been compromised and were used to access Enzo’s systems, where attackers installed malicious software to exfiltrate vast amounts of data over an extended period. Notably, the company lacked adequate monitoring systems, which delayed the detection of unauthorized access and exacerbated the breach.
Under the settlement terms, Enzo Biochem is required to implement a comprehensive set of cybersecurity measures to prevent future incidents. These measures include maintaining a robust information security program, enforcing access control policies, and implementing multi-factor authentication across all user accounts. Additionally, Enzo must establish strong password management practices, encrypt all sensitive data, conduct annual risk assessments, and develop a detailed incident response plan.
New York will receive $2.8 million of the settlement, with the remaining funds allocated to New Jersey and Connecticut. This resolution not only addresses the immediate shortcomings in Enzo’s data protection practices but also serves as a broader warning to other healthcare organizations about the critical importance of robust cybersecurity measures. The case underscores ongoing efforts by regulatory authorities to enforce high standards of data security and protect consumers from the risks of identity theft and fraud.
Reference: