Fraud Management & Cybercrime , HIPAA/HITECH , Ransomware

3 State AGs Fine Biotech Firm $4.5M for 2023 Hack

Investigators Highlight Enzo Biochem's Failure to Fix Known Security Risks
3 State AGs Fine Biotech Firm $4.5M for 2023 Hack
Image: Enzo Biochem

New York-based biotechnology firm Enzo Biochem will pay $4.5 million in state fines and must implement a list of security improvements, thanks to a 2023 ransomware attack that affected 2.4 million patients nationwide.

See Also: Ransomware Response Essential: Fixing Initial Access Vector

Investigators highlighted a long list of cybersecurity issues, including the company's failure to fix known security risks and a practice of sharing admin credentials including a password that hadn’t changed in a decade.

The action brought by the attorneys general for New York, New Jersey and Connecticut against the genetic testing and lab services company follows a data breach investigation that uncovered a variety of data security shortcomings and practices that allegedly violated HIPAA as well as state consumer laws.

"Getting bloodwork or medical testing should not result in patients having their personal and health information stolen by cybercriminals," said New York Attorney General Letitia James in a statement.

New York, which had the most citizens affected - 1.5 million patients - will receive $2.8 million of the $4.5 million fine. New Jersey, with 331,600 residents affected, will receive $930,000; and Connecticut, with 193,000 consumers affected, will receive about $743,111.

Cybercriminals in an April 2023 ransomware attack against Enzo Biochem stole files and data containing health and personal information of millions of patients, including names, addresses, birthdates, phone numbers and Social Security numbers, plus medical treatment and diagnosis information.

That information is a major target for cybercriminals, and the New York attorney general warned, "Healthcare companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft. Data security is part of patient safety."

Alleged Security Failures

The state attorneys general in their report highlighted several alleged failures, pointing out that Enzo Biochem had identified some risks and recommended steps for remediation nearly two years before the attack in a November 2021 HIPAA risk analysis - and also in an earlier risk analysis of Enzo's information systems in 2017 - but the company did not implement them.

"The AGs noted that although there were gaps identified in the risk analysis of this company, they were never corrected, which is very problematic," said regulatory attorney Rachel Rose, who was not involved in the Enzo Biochem case.

"These items really just underscore that a focus on cybersecurity in healthcare, which is one of the 16 critical infrastructure sectors, is not going away," Rose said. "It's going to be incumbent upon all persons involved in creating, receiving, maintaining or transmitting individually identifiable health information or protected health information to stay on top of their privacy and security."

Breach Details

Attackers gained remote access to Enzo's private network in early April 2023, the attorneys general said in a report about the incident.

"The attackers were then able to move through the network using at least two Enzo user accounts with administrator privileges. The login credentials to two administrator accounts the attackers used were shared among five employees and the credentials associated with one of these accounts had not been changed for 10 years," the report says.

The attackers accessed a variety of Enzo systems and data that contained patient information, including files stored on shared network space, and a database. None of the files or data were encrypted at the file level, the report said.

The hackers also installed malicious software on several Enzo systems. "On April 4, 2023 this software began pinging attacker-controlled servers outside of the Enzo network. Over the course of two days, the software made hundreds of thousands of attempts to connect to these servers," the report says.

Although Enzo's firewall identified tens of thousands of these connection attempts as malicious and blocked them, Enzo personnel did not become aware of the attackers' activity until several days later because Enzo did not have a system or process in place to monitor for or provide notice of suspicious activity, the report says.

On April 5, 2023, the attackers exfiltrated approximately 1.4 terabytes of Enzo files and data that contained patient information.

"The attackers also deployed ransomware that encrypted several Enzo systems, rendering them inaccessible without the decryption key held by the attackers. Enzo discovered the encrypted systems, and the attack, on April 6, 2023," the report says.

The attackers demanded a ransom payment to provide the decryption key to unlock the encrypted files and not publicly release the stolen information, according to the report.

Enzo engaged legal counsel on April 6, 2023, and that counsel engaged a cybersecurity firm to conduct an investigation, the attorneys general said.

"The cybersecurity firm was able to find some evidence of the attackers' activity. Enzo provided the cybersecurity firm with logging from the time of the incident, which was limited because Enzo did not maintain comprehensive records of user and network activity," the report says.

"Based on the available evidence, the cybersecurity firm did not identify the attackers' initial vector of attack or the method by which attackers compromised Enzo accounts with administrator privileges."

The forensic investigation identified ransomware encryption and the presence of the attacker's tools on an Enzo database server. "This server, used strictly for analytic and reporting purposes, contained files relating to tests rendered between October 2012 and April 2023 for approximately 2.4 million patients," the report says. There was also evidence of data exfiltration from an Enzo file server.

Enzo Biochem on April 6, 2023, in a filing notified the U.S. Securities and Exchange Commission about the incident, saying at the time that the company had activated its disaster recovery plan, allowing it to continue operations while it brought its systems back online (see: Lab Testing Firm Says Ransomware Breach Affects 2.5 Million).

The company has not publicly stated whether it paid a ransom to its attackers or disclosed the identity of the ransomware group claiming responsibility for the incident.

Enzo Biochem did not immediately respond to Information Security Media Group's request for comment on the enforcements action against the company by the state attorneys general.

Besides paying the multimillion-dollar financial penalty under the terms of the agreement with the states, Enzo Biochem will also implement a series of measures to strengthen its cybersecurity with a comprehensive program.

That includes implementing and maintaining multifactor authentication for all individual user accounts; encrypting all personal information, whether stored or transmitted; conducting and documenting annual risk assessments; and developing, implementing and maintaining a comprehensive incident response plan for potential data security issues.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing fraudtoday.io, you agree to our use of cookies.