Enzo BioChem has agreed to a $4.5 million settlement with New Jersey, New York and Connecticut over its alleged deficient data and security safeguards, which led to a 2023 ransomware attack that compromised the personal health data of 2.4 million patients, including about 331,600 New Jersey residents.
An investigation into the April 2023 cyberattack on Enzo revealed that the company’s networks were accessed using two employee login credentials with administrator privileges. The heightened risk of the attack was due to the practice of those two logins being shared between five employees. One of the login credentials had not been changed in 10 years, according to the consent order reached between the company and the states.