August 14, 2024 at 01:10PM
Biotech company Enzo Biochem is required to pay a $4.5 million penalty to three state attorneys general after a 2023 ransomware attack compromised data for over 2.4 million individuals. The company’s poor cybersecurity practices allowed attackers to gain access, impacting New York, New Jersey, and Connecticut residents. Enzo is now making significant security improvements following the incident.
Key Takeaways from Meeting Notes:
1. Enzo Biochem is facing a penalty of $4.5 million imposed by the attorneys general of New York, New Jersey, and Connecticut due to a ransomware attack in 2023 that compromised the data of over 2.4 million people.
2. New York will receive the majority of the penalty due to Enzo being a New York-based company, and the highest number of individuals impacted (circa 1.457 million).
3. The ransomware attack exposed various cybersecurity malpractices at Enzo, including poor credential hygiene, lack of multi-factor authentication (MFA), and failure to encrypt all sensitive patient data at rest.
4. The company’s security failings include outdated user credentials, lack of encryption on servers and desktop workstations, missing documentation, and a manual approach to monitoring network activity.
5. New Jersey attorney general Matthew J Platkin highlighted Enzo’s failure to abide by basic security precautions for online accounts and emphasized the importance of robust cybersecurity for healthcare firms.
6. Enzo has committed to a comprehensive security investment plan comprising 15-point improvements, including the migration of sensitive data to secure storage, implementation of endpoint detection and response (EDR) system, managed security operations center (SOC), and the enforcement of MFA and Zero Trust principles.
7. The attorneys general have imposed additional requirements on Enzo to ensure the maintenance of improved security standards beyond the investigation’s scope.
8. The lack of ransomware group claiming responsibility for the attack on Enzo distinguishes this case, but it reflects the prevalent targeting of healthcare organizations by cybercriminals for financial gain.
9. The broader context highlights similar attacks on medical companies during the spring of 2023, emphasizing the disruptive nature of cyber incidents within the healthcare sector.
10. Enzo did not respond to a comment request from El Reg regarding the incident.
Overall, the meeting notes provide insights into the cybersecurity challenges faced by Enzo Biochem following the ransomware attack and the subsequent actions taken by regulatory authorities and the company to address the security weaknesses.