Biotech biz Enzo Biochem is being forced to pay three state attorneys general a $4.5 million penalty following a 2023 ransomware attack that compromised the data of more than 2.4 million people.

New York's attorney general Letitia James announced the news on Tuesday after an investigation into Enzo's incident concluded, finding various cybersecurity malpractices that led to the attackers' initial access and delayed detection.

The money will be split between New York, New Jersey, and Connecticut, although the former will receive the lion's share of that. Enzo is a New York-based company and is home to the circa 1.457 million people who were affected by the incident, the majority of the total number of impacted individuals.

New Jersey will receive more than $930,000 after hundreds of thousands of its residents were caught up in the data heist, while Connecticut will receive $743,110.76 the people impacted in its State.

Among the more flagrant security failings at the biotech biz was the poor credential hygiene adopted on key user accounts. The investigation discovered that two sets of genuine user credentials were used to gain initial access to Enzo's systems, and these credentials were shared among five different employees.

To make matters worse, one of these credentials hadn't been updated in ten years. How secure that password would have been is anyone's guess.

Multi-factor authentication (MFA)? Nope, staff could access email from anywhere without needing to jump through any extra hoops. 

Enzo also didn't encrypt all sensitive patient data at rest, and that was known since 2021 - the date of its most recent vendor-administered HIPAA Security Risk Analysis before the attack. Sensitive data was encrypted in transit and at rest on laptops and phones, but some servers and desktop workstations stored it unencrypted.

The vendor discovered various other failings too, like missing documentation, an "informal" approach to evaluating risk to IT systems, and a failure to use automatic tooling for detecting network anomalies, among others.

This is perhaps why the company failed to detect the ransomware attackers' intrusion for days after they wormed their way in. All network activity was monitored manually rather than with automated systems, as is the norm, and this is what led to the attackers remaining unnoticed.

"It is stunning that as recently as last year, this healthcare company apparently did not abide by basic security precautions for online accounts, such as instructing its employees not to share passwords," said New Jersey attorney general Matthew J Platkin. 

"Businesses of all kinds, and especially healthcare firms, must make robust cybersecurity a top priority. Poor data security and privacy practices make it easy for cybercriminals to exploit technological vulnerabilities and gain access to sensitive health information."

Since the incident unfolded, Enzo has gone big on security investment with a hefty 15-point list of improvements that might just do a better job of concisely erasing its array of weaknesses prior to the attack.

The full list can be seen in the investigation writeup [PDF], but highlights include moving sensitive data to a secure enterprise storage solution installing an endpoint detection and response (EDR) system, paying for a 24/7 managed SOC, increasing minimum password length requirements, and enforcing MFA across various systems, including email. 

It wouldn't be a security overhaul without smashing the big red Zero Trust button either, and there's no exception here.

The attorneys general also slapped a bevy of additional requirements on Enzo, many of which relate to making sure the company maintains its improved security standards beyond the scope of the investigation.

"Getting blood work or medical testing should not result in patients having their personal and health information stolen by cybercriminals," said James. 

"Healthcare companies like Enzo that do not prioritize data security put patients at serious risk of fraud and identity theft. Data security is part of patient safety, and my office will continue to hold companies accountable when they fail to protect New Yorkers." 

In a rarity for such cases, no ransomware group ever claimed responsibility for the attack on Enzo, which at the time was involved in the clinical lab testing business before unrelatedly selling that unit shortly after the attack for $113.25 million.

It was, however, one of many medical companies to be broken into within a short period of time. The likes of Zoll, Independent Living Systems, NextGen Healthcare, and PharMerica were all hit in the northern hemisphere spring of 2023.

Healthcare organizations have long been the target of financially motivated cybercriminals. Just this year we've seen major incidents go down at Change Healthcare and Synnovis - a pathology service provider to numerous London hospitals - incidents that have once again spotlit how disruptive attacks on the sector can be.

El Reg approached Enzo for comment but it didn't respond in time for publication. ®

https://www.theregister.com//2024/08/14/enzo_biochem_ransomware_fine/