Biotech company reaches settlement for $7.5 million in ransomware attack class action suit

onclude the civil suit. The company, which was hit with ransomware in April 2023, disclosed that approximately 2,470,000 individuals’ clinical test information was compromised. Following the attack, Enzo Biochem took immediate action and found that names, test information, and around 600,000 Social Security numbers had been accessed.

In response to the breach, Enzo Biochem agreed to a $7.5 million settlement to resolve the class action lawsuit, providing a resolution that releases the company and its subsidiaries from any further claims related to the incident. Additionally, the company emphasized its commitment to upgrading its data protection systems in the wake of the ransomware attack. This settlement followed a previous agreement to pay three state governments $4.5 million in connection with the same security breach.

A subsequent investigation by New York’s Office of the Attorney General (OAG) revealed that the attackers gained access to Enzo’s networks using two employee login credentials. The OAG discovered that these credentials, shared among five employees, had not been changed in a decade, significantly increasing the company’s vulnerability to cyberattacks. Additionally, Enzo Biochem was found to lack multi-factor authentication for remote access to email, further exposing its systems to potential security threats.

In anticipation of regulatory penalties and legal repercussions stemming from the ransomware attack, Enzo Biochem forewarned investors of potential financial consequences. Despite reporting a revenue of $32.6 million in fiscal year 2022, the company acknowledged the risks associated with cyber threats and the importance of implementing robust security measures to safeguard sensitive data.

This incident underscores the growing challenges faced by healthcare organizations in safeguarding patient data from ransomware attacks. The U.S. Department of Health and Human Services (HHS) has taken action to address this issue, securing eight settlements related to ransomware attacks targeting healthcare industry companies. With ransomware emerging as a prominent threat to healthcare organizations, the HHS has observed a significant 264% increase in large breaches involving ransomware reported to its Office for Civil Rights since 2018.

As the healthcare industry grapples with escalating cybersecurity risks, the Enzo Biochem case serves as a cautionary tale highlighting the importance of robust data protection measures and proactive security protocols in safeguarding sensitive patient information from malicious cyber threats.