Enzo Biochem, a New York company, found itself in a challenging situation following a cyber attack in 2023 that compromised the personal data of over 2.4 million individuals.
New York Attorney General Leticia James disclosed the results of the investigation on Tuesday, revealing numerous cybersecurity rule violations by the company that not only facilitated hacker access but also impeded the detection of the attack.
As a consequence, Enzo Biochem has been ordered to pay a fine of $4.5 million, with New York, New Jersey, and Connecticut receiving a share. New York, having the highest number of victims at approximately 1.457 million, will receive the largest portion.
The breach stemmed from the mismanagement of accounting data, with five employees using two accounts simultaneously and one password remaining unchanged for a decade, raising serious concerns about its security.
In addition, the company lacked two-factor authentication, allowing employees to access email from anywhere without additional verification, and stored patient data on some servers and workstations in an insecure manner.
By relying on manual network activity monitoring instead of modern automated systems, Enzo failed to detect the intrusion promptly, enabling attackers to operate within the company’s systems unrestricted for several days.
New Jersey Attorney General Matthew J. Platkin expressed astonishment at Enzo Biochem’s failure to even comply with basic online account security measures, such as educating employees on password best practices.
Following the incident, Enzo Biochem has implemented a comprehensive cybersecurity enhancement plan, including threat detection and response systems, 24/7 security monitoring, stricter password protocols, and two-factor authentication, adopting a “zero trust” approach.
In light of the investigation, the Attorney Generals of the three states have imposed additional security requirements to ensure a high level of protection moving forward.
James stressed the importance of safeguarding patient data from cybercriminals, asserting that neglecting data security places individuals at risk of fraud and identity theft.
The Enzo Biochem case underscores the cybersecurity vulnerabilities faced by medical organizations, with recent incidents at Change Healthcare and Synnovis highlighting the severe consequences of cyber attacks on the healthcare sector.