Clinical Test Info, SSNs Exfiltrated, Company Tells SEC
Ransomware hackers stole the clinical test information of nearly 2.5 million individuals from a New York life sciences company, the company told federal regulators.
Enzo BioChem in a Tuesday filing with the U.S. Securities and Exchange Commission said its investigation into a ransomware attack experienced on April 6 concluded that hackers accessed or acquired the clinical test information of 2.47 million patients, as well as 600,000 Social Security numbers.
Farmingdale, N.Y-based Enzo provides testing services, including for novel coronavirus, genetic conditions, and sexually transmitted diseases – as well as treatments for cancers, metabolic and infectious diseases. The company in its SEC filing said it “incurred and may continue to incur” expenses related to the attack, including costs to remediate and investigate the incident.
Enzo did not provide the SEC with a dollar estimate for the projected financial impact of the attack.
Enzo already filed a notice with the SEC on April 15, disclosing that the company had suffered the April 6 ransomware attack.
In that earlier regulatory filing, Enzo said its facilities remained open, and it continued to provide services to its patients and partners using back-up processes and other downtime procedures.
The company activated its disaster recovery plan, allowing it to continue operations while it brought its systems back online, it told regulators.
Back-up procedures nonetheless created operational challenges and caused delays in the processing of laboratory specimens, Enzo said.
Enzo did not immediately respond to Information Security Media Group’s request for additional details about the incident, including the type of ransomware involved in the attack and whether a ransom was demanded or paid.
Enzo is among the latest large companies servicing the healthcare sector to report a major data breach involving ransomware in recent weeks.
“These sorts of incidents are just generally concerning,” says privacy and security attorney Brad Rostolsky of the law firm Reed Smith.
When clinical testing and other related highly personal health information is exfiltrated, “the facts and parties become more complicated, due to a higher than usual likelihood that the individuals involved are dealing with incredibly sensitive healthcare situations,” he said.