The diagnostic testing laboratory settled with New York, Connecticut, and New Jersey following a breach that exposed 2.4 million people’s data.
The Breach
Enzo Biochem, headquartered in New York, is a life sciences and biotechnology company that develops and manufactures healthcare products related to research, drug development, and diagnostics. The company has six locations worldwide and over 50 distributors. While much of their work is in research, they also work with patients by offering diagnostic testing at laboratories.
In April of 2023, cyber attackers accessed Enzo’s network using two employee login credentials. The company said the attack involved “unauthorized access to or acquisition of clinical test information of approximately 2,470,000 individuals.”
According to the company’s filing with the U.S. Securities and Exchange Commission (SEC), Enzo Biochem determined that names, test information, and 600,000 Social Security numbers were accessed. While some information was accessed only, in some instances it was also exfiltrated.
Enzo Biochem stated it was a ransomware attack, but so far no organization has taken credit. Generally, ransomware organizations will take credit for an attack before demanding ransom payments or making threats.
As soon as the attack occurred, Enzo Biochem stated they “promptly deployed containment measures, including disconnecting its systems from the internet, launched an investigation with assistance from third-party cybersecurity experts, and notified law enforcement.” The company said that because of its disaster recovery plan, they were able to continue operating despite the attack.
At the time of the filing, Enzo Biochem said, “Security and privacy incidents have led to, and may continue to lead to, additional regulatory scrutiny. [Enzo Biochem] is in the process of evaluating the full scope of the costs and related impacts of this incident.”
The Investigation
After the breach, the Attorney General of New York, Connecticut, and New Jersey further investigated the incident.
According to New York Attorney General Letitia James, the employee credentials used to access Enzo’s network were outdated. The two login credentials were shared among five employees and had not been changed in the last ten years, drastically increasing Enzo’s vulnerability to an attack.
Once the malicious actors entered Enzo’s system, they were able to install malicious software onto multiple systems. Enzo Biochem only became aware of the attack several days later. According to the Attorney General’s report, the company did not have a system in place to monitor or provide notice of suspicious activity.
On top of names, Social Security numbers, and test information, the probe also determined that addresses, dates of birth, and other medical treatment/diagnosis information were compromised in the breach.
Ultimately, the Attorney Generals in New York, New Jersey, and Connecticut found that Enzo Biochem failed to “adequately safeguard the personal and private health information of its patients.”
In a statement, New Jersey Attorney General Matthew J. Platkin said, “It is stunning that as recently as last year, this healthcare company apparently did not abide by basic security precautions for online accounts, such as instructing its employees not to share passwords.”
As a result, Enzo has agreed to pay a settlement of $4.5 million and take steps to strengthen its cybersecurity policies. $2.8 million will go to New York, approximately $743,000 will go to Connecticut, and approximately $930,000 will go to New Jersey. “This agreement sends a strong message to companies that we will hold them accountable if they fail to take reasonable measures to protect consumers’ information,” said Connecticut Attorney General William Tong.
“Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals,” said New York Attorney General James. “Health care companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft.”
As part of the agreement, Enzo is adopting more cybersecurity practices, including:
- Maintaining a comprehension information security program;
- Implementing polices and proceedures to limit access to personal information;
- Implementing multi-factor authentication for individual accounts;
- Establishing policies that require the use of strong passowrds;
- Encrypting all personal information;
- Conducting annual risk assessments; and
- Developing a comprehensive incident response plan.
In an unrelated move, as of July 2023, Enzo Biochem has sold it’s clinical laboratory division to Laboratory Corproation of America (Labcorp). The lab sold for $146 million and resulted in at least 247 employees being laid off.
Navigating Increasing Attacks and Lawsuits
Attacks have become increasingly frequent and are targeting healthcare organizations more and more due to the valuable private data these companies hold. On top of this, organizations experiencing a breach are more likely to face penalties or class action lawsuits. While these measures are designed to encourage proactive security measures, they could make healthcare organizations more likely to negotiate with ransomware gangs in an attempt to have stolen data returned.
Although attacks have grown in sophistication, many are still extremely preventable through methods like complex passwords, multi-factor authentication, encryption, and network monitoring. Despite these tried and true methods, some organizations feel overwhelmed by the evolving security landscape, and the shortage of cybersecurity experts has only made it more challenging.
Even though it’s difficult to maintain the highest level of security, it’s more important than ever. It’s estimated that data breaches in the healthcare sector have increased 53.3%, costing an average of $10.93 million per breach in 2023. 2024 numbers are expected to be even higher. Experts believe class action lawsuits have “exploded” as well; in 2023, these lawsuits generated over $50 billion in settlements.
How Cloudticity Can Help
To stay ahead of attacks and lawsuits, organizations need a cybersecurity team and system they can rely on. That’s where Cloudticity comes in.
As a HITRUST certified organization with over 10 years as a leader in managed security for healthcare, we’ve never suffered a data breach. We use a proven security tech stack with the best cybersecurity experts, ensuring your data is safe and any vulnerabilities are promptly addressed.
While ransomware attacks are increasing with devastating consequences, our experts will make sure your organization’s and patient’s data remain secure. We know it’s difficult to find quality cybersecurity experts, which is why outsourcing to our team is the best, most secure and cost-effective solution, allowing your healthcare providers to focus less on tech, and more on serving patients.
If you want to learn more about how we can help protect your organization from ransomware, reach out for a free consultation today.