Healthcare data including the health history of millions of patients was breached in the attack. Credit: Shutterstock

Biotech company Enzo Biochem will pay $4.5m to settle regulatory charges for its poor security processes leading to a cyberattack in April 2023, according to New York’s attorney general.

The attack compromised the patient data of 2.4 million patients including social security numbers and health histories as well as other patient information.

Go deeper with GlobalData

Data Insights

The gold standard of business intelligence.

Find out more

Related Company Profiles

View all

The settlement made yesterday (13 August) with New York, New Jersey and Connecticut resolved claims that Enzo did not adequately safeguard patients’ personal and private health information, said New York attorney general Letitia James.

“Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals” James said in a statement.

Enzo Biochem, which develops, manufactures and markets products for clinical research, drug development and medical research, began alerting patients to the breach in June 2023.

Documents signed by the company reveal that cyber criminals accessed the organisation’s network with two log-in credentials that were shared by five Enzo employees – one that had not changed in a decade.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Malware was installed onto several systems by attackers which went undetected for several days as the manufacturer did not monitor for suspicious activity at the time.

Prior to and as part of the settlement, Enzo is increasing its cyber security measures including stronger password requirements, two-factor authentication, encrypting personal information, and developing a plan to respond faster to cyberattacks – proving that simple tactics for cyber defense can still be effective.

Approximately 1.46 million New York patients were affected including 405,000 with compromised social security numbers, the scale of data breach means New York is set to receive $2.8m from the settlement.

The attorney general decision comes a week after Mary Tagliaferri MD resigned from her position on the Board of Directors for Enzo to pursue other opportunities.

Enzo is yet to comment on the settlement.