Friend
Professional
- Messages
- 2,667
- Reaction score
- 876
- Points
- 113
When safety isn't a priority: the story of a biotech company.
New York-based company Enzo Biochem found itself in a difficult situation after a cyberattack that occurred in 2023. The incident resulted in the compromise of personal data of more than 2.4 million people.
New York Attorney General Letitia James announced the completion of the investigation on Tuesday. The findings are disappointing: the company revealed numerous violations of cybersecurity rules, which not only made it easier for hackers to access, but also made it more difficult to detect the attack.
Now Enzo Biochem will have to pay a fine of $ 4.5 million. The amount will be distributed among three states: New York, New Jersey and Connecticut. New York will receive the largest share, as it is home to the majority of victims — about 1.457 million people.
The reasons for such a serious security breach are due to improper management of credentials. It turned out that two accounts were used by five employees at once. Moreover, one of the passwords has not been changed for ten years, which raises serious questions about its reliability.
The problems don't end there. Enzo Biochem did not use two-factor authentication. Employees could access their email from anywhere in the world without additional checks. In addition, some servers and workstations stored confidential patient data in unencrypted form.
With this approach, it is not surprising that the company was unable to detect the intrusion in time. Instead of using modern automated monitoring systems, Enzo relied on manual monitoring of network activity. As a result, the attackers operated freely in the company's systems for several days.
New Jersey Attorney General Matthew J. Smith Platkin expressed bewilderment at the fact that the medical company did not comply with even basic precautions for online accounts, including instructing employees not to share passwords.
After the incident, Enzo Biochem developed a comprehensive plan to improve cybersecurity. The company has implemented a threat detection and response system, hired a 24-hour security monitoring service, tightened password requirements, and implemented two-factor authentication. A "zero-trust" approach was also applied.
The Attorneys General of three states imposed a number of additional requirements on the company to ensure a high level of security and after the investigation is completed.
Letitia James stressed that medical procedures should not lead to the risk of patients ' personal data being stolen by cybercriminals. She noted that companies that neglect data security expose patients to serious risks of fraud and identity theft.
The case of Enzo Biochem is a reminder of the vulnerability of medical organizations to cyber threats. This year, there have already been major incidents in Change Healthcare and Synnovis, which demonstrated how serious the consequences of attacks on the medical sector can be.
Source
New York-based company Enzo Biochem found itself in a difficult situation after a cyberattack that occurred in 2023. The incident resulted in the compromise of personal data of more than 2.4 million people.
New York Attorney General Letitia James announced the completion of the investigation on Tuesday. The findings are disappointing: the company revealed numerous violations of cybersecurity rules, which not only made it easier for hackers to access, but also made it more difficult to detect the attack.
Now Enzo Biochem will have to pay a fine of $ 4.5 million. The amount will be distributed among three states: New York, New Jersey and Connecticut. New York will receive the largest share, as it is home to the majority of victims — about 1.457 million people.
The reasons for such a serious security breach are due to improper management of credentials. It turned out that two accounts were used by five employees at once. Moreover, one of the passwords has not been changed for ten years, which raises serious questions about its reliability.
The problems don't end there. Enzo Biochem did not use two-factor authentication. Employees could access their email from anywhere in the world without additional checks. In addition, some servers and workstations stored confidential patient data in unencrypted form.
With this approach, it is not surprising that the company was unable to detect the intrusion in time. Instead of using modern automated monitoring systems, Enzo relied on manual monitoring of network activity. As a result, the attackers operated freely in the company's systems for several days.
New Jersey Attorney General Matthew J. Smith Platkin expressed bewilderment at the fact that the medical company did not comply with even basic precautions for online accounts, including instructing employees not to share passwords.
After the incident, Enzo Biochem developed a comprehensive plan to improve cybersecurity. The company has implemented a threat detection and response system, hired a 24-hour security monitoring service, tightened password requirements, and implemented two-factor authentication. A "zero-trust" approach was also applied.
The Attorneys General of three states imposed a number of additional requirements on the company to ensure a high level of security and after the investigation is completed.
Letitia James stressed that medical procedures should not lead to the risk of patients ' personal data being stolen by cybercriminals. She noted that companies that neglect data security expose patients to serious risks of fraud and identity theft.
The case of Enzo Biochem is a reminder of the vulnerability of medical organizations to cyber threats. This year, there have already been major incidents in Change Healthcare and Synnovis, which demonstrated how serious the consequences of attacks on the medical sector can be.
Source
