Enzo Biochem settles lawsuit over 2023 ransomware attack for $7.5M

Enzo Biochem has settled a consolidated class-action lawsuit relating to its 2023 ransomware incident for $7.5 million.

The agreement was reached on January 13 and disclosed via a Form 8-K with the Securities and Exchange Commission (SEC) two days later.

In addition to the settlement fee, the agreement mandated that Enzo make "certain upgrades to its data protection systems" – the details were unspecified. These measures, it reported to the SEC, had already been completed.

The life sciences company, which develops research and diagnostic tools, also had to cough up $4.5 million to three state attorneys general just five months ago related to the same April 2023 attack.

New York attorney general Letitia James led the investigation into the company's security practices, finding various failings that led to 2.47 million people's data being compromised.

Enzo's credential hygiene was a particular point of concern. James' office's investigation into the attack [PDF] revealed that genuine company credentials were used to make the initial intrusion, and these credentials were shared among five employees.

One of the credentials hadn't been updated in ten years. Enzo also didn't require multi-factor authentication (MFA), its processes for encrypting data at rest were deemed ineffective, and it was found to have taken an "informal" approach to evaluating IT risk, among other findings.

"Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals," the attorney general said at the time. 

"Healthcare companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft. Data security is part of patient safety, and my office will continue to hold companies accountable when they fail to protect New Yorkers."

The New York-based company responded to the attack in 2023 by making big investments in security, funding an extensive 15-point refurbishment of its cyber function.

• UK floats ransomware payout ban for public sector
• Miscreants 'mass exploited' Fortinet firewalls, 'highly probable' zero-day used
• Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days
• Drug addiction treatment service admits attackers stole sensitive patient data

An authentication overhaul was executed, introducing MFA and more stringent password complexity requirements. It also paid for an endpoint detection and response (EDR) system and a 24/7 managed security operations center (SOC), among other things. Adopting the fabled "Zero Trust" helped it resolve the case too.

The attack was never claimed by a known ransomware group. James's report confirmed that Enzo's systems were encrypted, but did not clarify whether a ransom was paid.

The report further revealed that attackers exfiltrated approximately 1.4 TB of Enzo's data. The types of data potentially accessed or stolen included names, dates of birth, home addresses, phone numbers, medical treatment and diagnosis information, clinical test information, and social security numbers.

The intrusion began on April 4. The company's firewall blocked numerous malicious connections but failed to notify staff because there were no systems in place dedicated to monitoring or alerting the relevant people to suspicious network activity.

It took Enzo two days to realize it had been compromised, only after the attackers lifted patient data and deployed an encryption payload, James's report stated.

The company's stock price tumbled following the attack and is now trading at $0.70 per share – its lowest since 1991.

Enzo Biochem was one of many medical companies to be hit with data-stealing cyberattacks all around the same time. Companies including Zoll, Independent Living Systems, NextGen Healthcare, and PharMerica all experienced similar events during spring 2023 and all are based in the northern hemisphere, although there is no suggestion the attacks were linked. ®