Cyber Incident Victim: Enzo Biochem

On April 6, 2023, Enzo Biochem, Inc., a New York-based biosciences and diagnostics company, experienced a ransomware attack that impacted certain of its information technology systems. The company promptly deployed containment measures in response to the incident. A primary action taken was the disconnection of its systems from the internet, a step intended to isolate the threat and prevent further unauthorized access or spread of the attack within its network. Concurrently, the company launched an investigation into the nature and scope of the incident. This investigation was conducted with the assistance of external third-party cybersecurity experts, and the company also notified law enforcement agencies of the breach.

Throughout the response process, Enzo Biochem adhered to its existing disaster recovery plan. The execution of this plan enabled the company to maintain its operational capabilities despite the disruption to its IT infrastructure. The company's facilities remained open, and it continued to provide services to its patients and partners without significant interruption. This continuity of operations was a key aspect of the company's initial response, ensuring that its clinical and business activities could proceed while the forensic investigation was underway.

By April 11, 2023, the ongoing investigation yielded a significant development. The company became aware that certain data had been accessed, and in some instances, exfiltrated, from its information technology systems as part of the ransomware attack. The compromised data included individuals' names, clinical test information, and Social Security numbers. The investigation into the incident and the full assessment of its impact remained ongoing at the time of the company's subsequent regulatory filing. However, the company was able to identify that unauthorized access to or acquisition of clinical test information pertaining to approximately 2,470,000 individuals had occurred. Furthermore, the Social Security numbers of approximately 600,000 of these individuals were also involved in the breach. The company additionally noted that it was evaluating whether personal information belonging to its employees may have been involved in the incident as well.

In accordance with legal obligations, Enzo Biochem committed to providing formal notice to all individuals whose information may have been involved in the security breach. The company also stated it would notify the appropriate regulatory authorities as required by applicable law. The financial impact of the incident began to materialize immediately, with the company incurring expenses related to its response, remediation efforts, and the investigation itself. These costs were anticipated to continue as the company worked to fully address the aftermath of the attack. The expenses encompassed payments to cybersecurity experts, costs associated with system restoration and strengthening, and other unforeseen expenditures directly tied to managing the crisis.

The company acknowledged that it remained subject to significant risks and uncertainties as a direct result of the incident. These risks were primarily linked to the nature of the data that was accessed and exfiltrated from its network. The compromise of highly sensitive personal information, including clinical test data and Social Security numbers, exposed the company to potential legal liabilities, reputational damage, and financial losses. The incident also highlighted the persistent threat landscape facing companies in the medical and life sciences sector, with Enzo Biochem becoming one of several such organizations to experience a major ransomware attack in a short period, alongside companies like Sun Pharmaceuticals, NextGen Healthcare, Independent Living Systems, Zoll, and PharMerica.

A further consequence articulated by the company was the increased potential for additional regulatory scrutiny. Security and privacy incidents of this magnitude often lead to examinations by government agencies to determine compliance with data protection laws and regulations. The company was in the process of evaluating the full scope of the costs and related impacts, indicating that the total financial and operational burden was not yet fully quantified. The long-term implications for the company's operations and financial position were still being assessed months after the initial attack was discovered.

The incident did not disrupt the company's strategic business operations, including its ongoing process to sell its clinical lab division. The attack was disclosed in a Form 8-K filing with the U.S. Securities and Exchange Commission on May 30, 2023, signed by Chief Executive Officer Hamid Erfanian. The filing served as the official public disclosure of the material event, providing details to shareholders and the market. In its communication, the company included forward-looking statements regarding its ability to contain and assess the ransomware attack and the attack's impact on operations and financial results, while also cautioning that these statements were subject to a variety of risks and uncertainties beyond its control. As of the filing date, no ransomware group had publicly claimed responsibility for the attack on Enzo Biochem. The company undertook no obligation to update or revise its forward-looking statements except as may be required under applicable securities law, framing the disclosure within the standard protocols for corporate reporting of significant cyber events.