Enzo Biochem to pay $4.5 million settlement over data breach failures

Enzo Biochem, Inc. has agreed to a $4.5 million settlement after a cyberattack in April 2023 compromised the personal and private health information of 2.4 million patients.

What happened

The settlement, announced on Tuesday, resolves regulatory charges against Enzo Biochem for failing to protect sensitive patient data. The breach occurred when attackers gained unauthorized access using employee credentials that had not been updated in over a decade. The exposed data includes Social Security numbers, health histories, and other sensitive information. New York Attorney General Letitia James, along with counterparts in New Jersey and Connecticut, led the investigations that uncovered serious lapses in Enzo’s data security practices.

The backstory

The incident is part of ongoing efforts by Attorney General James to hold companies accountable for cybersecurity failures. Earlier this year, James issued a comprehensive data security guide and a business guide on preventing credential stuffing attacks, stressing the need for cybersecurity measures across industries.

What was said

“Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals,” stated New York Attorney General Letitia James. She stressed that healthcare companies must prioritize data security to protect patients from fraud and identity theft, adding that her office will continue to hold companies accountable for lapses.

By the numbers

• 2.4 million patients affected by the Enzo Biochem data breach.
• 1,457,843 patients affected were New York residents.
• $4.5 million total settlement amount, with $2.8 million allocated to New York.

Related: Cyberattacks on the healthcare sector

Why it matters

This settlement holds Enzo Biochem accountable and warns other healthcare companies about the severe consequences of neglecting cybersecurity. As healthcare data breaches become more common, companies must implement stringent security measures to protect patient information and avoid costly penalties.

Related: Unpacking the benefits of cybersecurity in healthcare

FAQs

What is the role of encryption in safeguarding patient data?

Encryption converts data into a code to prevent unauthorized access. In healthcare, encryption ensures that sensitive patient information remains protected during storage and transmission, even if attackers intercept it.

Read more: What happens to your data when it is encrypted?

How can healthcare organizations prevent credential sharing among employees?

Organizations can prevent credential sharing by implementing strict access control policies, regularly auditing account usage, and educating employees on the risks of sharing login information.

What is the significance of regular risk assessments in cybersecurity?

Regular risk assessments help identify and address vulnerabilities in an organization's cybersecurity defenses, ensuring that new threats are recognized and mitigated promptly to protect sensitive data.