Biotech firm settles class action lawsuit over ransomware attack for $7.5 million

A large biotech company decided to settle a class action lawsuit for $7.5 million after facing backlash for a ransomware attack that exposed the diagnostic test information and personal data of nearly 2.5 million people.

Enzo Biochem filed a report to the U.S. Securities and Exchange Commission on Wednesday evening announcing a settlement to conclude the civil suit.

The company was hit with ransomware in April 2023 in an attack that it said involved the “unauthorized access to or acquisition of clinical test information of approximately 2,470,000 individuals,” it said previously. The company was able to maintain operations but discovered on April 11, 2023, that names, test information, and approximately 600,000 Social Security numbers were accessed.

In a new filing, Enzo Biochem said the $7.5 million settlement fund “provides for the full and final release of the Company and its subsidiaries from any and all claims.” The company also noted that it previously committed to “make certain upgrades to its data protection systems, which have been made.”

The settlement comes after Enzo Biochem agreed last year to pay three state governments $4.5 million for the same ransomware attack. 

An investigation led by New York’s Office of the Attorney General (OAG) found that the attackers — who were never identified and never came forward publicly — accessed Enzo’s networks using two employee login credentials. 

“The OAG later found that those two login credentials were shared between five Enzo employees and one of the login credentials hadn’t been changed in the last ten years, putting Enzo at heightened risk of a cyberattack,” the OAG said. The company also did not use multi-factor authentication for remote access to email, investigators said.

Enzo Biochem warned investors in 2023 that it would likely face financial penalties from regulators and lawsuits in relation to the ransomware attack. The company reported fiscal 2022 revenue of $32.6 million and is well-known for being one of the first biotechnology companies to go public. 

Healthcare organizations are facing increasing scrutiny for ransomware attacks that expose patient data. 

The U.S. Department of Health and Human Services (HHS) has secured eight settlements related to ransomware attacks on healthcare industry companies. 

The department said ransomware has become one of the primary threats to healthcare and provided data showing a 264% increase since 2018 in large breaches involving ransomware that were reported to its Office for Civil Rights.