Clinical test data of 2.5 million people stolen from biotech company Enzo Biochem

An April ransomware attack on a biotech company resulted in the compromise of test information and personal data of nearly 2.5 million people, according to regulatory filings.

Enzo Biochem, a New York-based biosciences and diagnostics company, said that on April 6 it experienced a ransomware attack that involved the “unauthorized access to or acquisition of clinical test information of approximately 2,470,000 individuals.”

The company was able to maintain operations but discovered on April 11 that names, test information, and approximately 600,000 Social Security numbers were accessed, “and in some instances, exfiltrated from the Company’s information technology systems,” the company said in an 8-K filing with the U.S. Securities and Exchange Commission. It added that it would notify affected individuals and regulators, as required by law.

No ransomware group has taken credit for the attack. The company said it disconnected its systems from the internet, hired cybersecurity experts and notified law enforcement after the incident was discovered.

Enzo Biochem said it is still investigating the incident but noted that it has and may continue to incur expenses related to the remediation of the attack.

“Further, the Company remains subject to risks and uncertainties as a result of the incident, including as a result of the data that was accessed or exfiltrated from the Company’s network as noted above,” the CEO Hamid Erfanian said in the SEC filing.

“Additionally, security and privacy incidents have led to, and may continue to lead to, additional regulatory scrutiny. The Company is in the process of evaluating the full scope of the costs and related impacts of this incident.

The company reported a 2022 fiscal year revenue of $32.6 million and is well-known for being one of the first biotechnology companies to go public.

Enzo Biochem becomes the latest medical sciences company to experience a leak of patient data in recent months as a result of a ransomware attack. The largest pharmaceutical company in India – Sun Pharmaceuticals — confirmed a ransomware attack in March regulatory filings, explaining that the incident involved the theft of company data and personal information.

Two weeks ago, one of the world’s largest pharmacy companies announced a data breach involving the sensitive personal data of nearly six million people after a ransomware group claimed it attacked the company.

Hospital technology company NextGen Healthcare, healthcare software company Independent Living Systems and medical device maker Zoll all announced breaches in recent months that involved the sensitive information of millions of patients.