Source URL: https://www.theregister.com/2025/01/16/enzo_biochem_ransomware_lawsuit/
Source: The Register
Title: Enzo Biochem settles lawsuit over 2023 ransomware attack for $7.5M
Feedly Summary: That’s in addition to the $4.5M fine paid to three state AGs last year
Enzo Biochem has settled a consolidated class-action lawsuit relating to its 2023 ransomware incident for $7.5 million.…
AI Summary and Description: Yes
Summary: Enzo Biochem’s recent settlement over a ransomware attack highlights significant security failings in the healthcare sector, including poor credential management and lack of multi-factor authentication. The company has since made considerable investments to upgrade their security infrastructure and has adopted a Zero Trust model to enhance data protection.
Detailed Description:
The incident involving Enzo Biochem serves as a critical case study for security and compliance professionals, particularly in the healthcare sphere, where data breaches can have severe implications for patient safety and privacy.
Key Points:
– **Settlement Details**: Enzo Biochem settled a class-action lawsuit for $7.5 million related to a ransomware attack that compromised the data of 2.47 million individuals. They had already paid $4.5 million to state attorneys general earlier for the same incident.
– **Data Protection Upgrades**: The settlement mandates unspecified upgrades to data protection systems, which Enzo has claimed to have completed. This includes:
– Introductory investments in security enhancements, highlighted by a 15-point refurbishment of cybersecurity functions.
– Implementation of multi-factor authentication (MFA) and stronger password policies.
– Investment in endpoint detection and response (EDR) systems and a managed security operations center (SOC).
– **Investigation Findings**: A report led by New York Attorney General Letitia James indicated various security lapses, including:
– Inadequate credential hygiene, with credentials being used among multiple employees without updates for years.
– Lack of multi-factor authentication and ineffective encryption of data at rest.
– Weak IT risk evaluation processes.
– A two-day delay in detecting the breach following the encryption of patient data.
– **Zero Trust Adoption**: As part of its remedial measures, Enzo has adopted the Zero Trust security model, which emphasizes strict verification and minimized trust assumptions within network access.
– **Consequences and Industry Context**: Enzo’s stock price plummeted to $0.70, reflecting investors’ reactions to the breach. Similar data-stealing cyberattacks affected other healthcare companies, indicating a broader vulnerability in the medical sector’s cybersecurity posture.
Overall, this case illustrates the necessity of robust data protection practices in healthcare to safeguard against data breaches, highlighting the critical importance of compliance, continuous monitoring, and investment in cybersecurity infrastructure. Security professionals should reflect on these lessons to improve their organizations’ readiness against cyber threats.