By Jonathan Stempel
NEW YORK (Reuters) -Enzo Biochem will pay $4.5 million to settle regulatory charges that lax security protocols contributed to an April 2023 cyberattack that compromised Social Security numbers, health histories and other information for about 2.4 million patients.
Tuesday’s settlement with New York, New Jersey and Connecticut resolved claims that Enzo did not adequately safeguard patients’ personal and private health information, New York Attorney General Letitia James said.
According to an assurance of discontinuance signed by Enzo, cyberattackers accessed the biotechnology company’s network with two log-in credentials that were shared by five Enzo employees, including one credential that had not changed in a decade.
Attackers then installed malware on several systems, which the Farmingdale, New York-based company needed several days to discover because it did not monitor for suspicious activity.
Prior to and as part of the settlement, Enzo is bolstering security, including by requiring stronger passwords and two-factor authentication, encrypting personal information, and developing a plan to respond to cyberattacks faster.
Enzo began alerting patients to the breach in June 2023.
About 1.46 million New Yorkers were affected, including about 405,000 whose Social Security numbers were compromised. New York will receive $2.8 million from the settlement.
“Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals,” James said in a statement.
Enzo did not immediately respond to a request for comment. The company exited clinical lab testing last August.
(Reporting by Jonathan Stempel in New York; editing by Jonathan Oatis)
Disclaimer: This report is auto generated from the Reuters news service. ThePrint holds no responsibilty for its content.