Enzo Biotech of Farmingdale to pay $4.5M settlement over data breach

Enzo Biochem Inc., a Farmingdale-based biotech firm, reached a $4.5 million settlement with law enforcement officials who said its lax cybersecurity standards led to a data breach.

Attackers got past Enzo's "deficient" security system in April 2023, in part, by exploiting vulnerabilities that were exposed at least a year and a half earlier, according to a joint investigation by the New York, New Jersey and Connecticut attorneys general's offices.

Hackers logged on with two user accounts that were shared among five employees, according to a "discontinuance" agreement that Enzo signed to prevent prosecution. One of those accounts hadn't had its credentials changed in a decade, the document said.

Attackers said they stole 1.4 terabytes of data, including patient information that wasn't encrypted — or scrambled into unintelligible material that requires a digital key to be converted into legible information. An outside vendor urged Enzo to encrypt patient information on servers and workstations while conducting a security assessment in November 2021, the attorneys general said.

The attackers ultimately encrypted Enzo systems and told the firm it must pay an undisclosed sum for the key to decode the material, the attorneys general said. About 2.4 million patients, including nearly 1.5 million New Yorkers, potentially had personal information exposed, including their names, dates of birth, Social Security numbers and diagnoses, the settlement said.

It's unclear whether Enzo paid a ransom. Neither the firm nor New York Attorney General Letitia James' Office immediately answered questions about the ransom. 

"Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals," James said in a statement. "Health care companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft."

Enzo previously offered diagnostic testing in the metropolitan area, but sold that arm of its businesses last summer. It now focuses on making and selling proteins, antibodies and other tools for clinical research and pharmaceutical development. 

About $2.8 million of the $4.5 million settlement payment will be directed to James' office. The New York Attorney General's Office has sole discretion over how the money may be used, the settlement said. 

Enzo also agreed to provide identify theft protection to anyone whose information was exposed and committed to making a number of improvements to its cybersecurity efforts.

Shares of Enzo rose 2.9% to close at $1.08 Tuesday, according to S & P Capital IQ, a financial market platform. Enzo had net income of $44.7 million for the year ending in April, S & P Capital IQ noted.