It started quietly—just a few envelopes arriving by mail, each one containing a message that felt both routine and unnerving. Instead of receiving confirmation that their private health information had been compromised, the majority of recipients probably thought they were getting billing notices or results.
This confirmation was connected to a ransomware attack on Enzo Biochem in April 2023. The breach began with little fanfare, but what followed was a slow unraveling of what had gone wrong and why it mattered more than many first realized.
| Item | Details |
|---|---|
| Case Title | Enzo Biochem Data Security Litigation |
| Incident Date | April 6, 2023 |
| Individuals Affected | Approximately 2.47 million |
| Compromised Data | Clinical test results, names, ~600,000 Social Security numbers |
| Settlement Amount | $7.5 million (class action) |
| State Penalties | $4.5 million to NY, NJ, and CT |
| Key Dates | Claims due by June 23, 2025; Objections by May 23, 2025 |
| Official Info | enzodatasettlement.com |
By mid-April, Enzo confirmed the worst: unauthorized access had reached nearly 2.5 million individuals, with sensitive data ranging from lab test results to full Social Security numbers for hundreds of thousands. The size alone made headlines, but it was the nature of the data—clinical, intimate, quietly personal—that made the incident so alarming.
Medical history cannot be easily changed, unlike a credit card number.
A number of subsequent lawsuits eventually combined into a single class action. The main allegation in all of the filings was remarkably consistent: Enzo had not taken appropriate precautions to safeguard the information it gathered. In addition to being regrettable, the plaintiffs contended that the breach was preventable.
And investigators—both legal and regulatory—seemed to agree.
Letitia James, the attorney general of New York, as well as her counterparts in New Jersey and Connecticut, disclosed that Enzo’s security systems were dangerously weak. Five employees were sharing login credentials, and one password had not been changed in ten years, they found. The digital doors had been left open for too long.
It felt less like a sophisticated cyberattack and more like someone walked through an unlocked gate.
Once inside, the attackers had time to install malware, harvest data, and eventually encrypt systems with ransomware. The lack of detection tools and out-of-date protocols caused what could have been prevented early to become a full-scale breach.
The penalty came quickly. Enzo agreed to a $4.5 million payout to the states, and a separate $7.5 million class action settlement followed shortly after. That settlement offered two years of credit monitoring, along with reimbursements of up to $10,000 for those who could show financial harm directly tied to the breach.
The figures were comforting to some. They were icy solace to others.
I paused on a line regarding the risk assessments that identified security vulnerabilities in 2017 and 2021 while reading the details. The company had the warnings. It was a lack of will, not knowledge.
Enzo didn’t admit wrongdoing, and that’s common in such settlements. But their post-breach actions said enough: multi-factor authentication rolled out, stronger passwords enforced, encryption protocols upgraded. What once was optional had become urgent.
But the damage preceded that urgency.
The case attracted attention due to its scope as well as the implications it raised regarding vulnerabilities in the healthcare industry. Despite holding extremely sensitive data, many providers still view security as a checkbox rather than an essential feature.
And patients? Until something goes wrong, they frequently are unaware of the difference.
In the digital age, it’s simple to grow numb to breaches. They appear on a weekly basis. However, the human weight of the revealed data was what made this one unique. These were more than just names or numbers; they were reflections of lab results, diagnoses, and health journeys that were no longer connected to protection or context.
Some impacted people may never experience any real harm. Others might not be as fortunate. Identity theft isn’t always immediate; it sometimes unfolds slowly, years later, through unexpected mail or denied loans.
Even though the lawsuit doesn’t necessarily rebuild trust, it does highlight the importance of responsibility.
Enzo is now subject to yearly risk assessments and more stringent oversight. They’re required to maintain detailed incident response plans and encrypt all personal data, both in storage and in motion. These are fundamental measures rather than innovative ones.
Maybe that’s the lesson, though.
Discipline is more important for protecting personal health information than innovation. Stale credentials and shared passwords are convenience habits rather than tactics.
And when convenience wins, breaches follow.
However, there is a noticeable improvement in the way regulators reacted. The joint action between three states signals a shift in accountability. Patient privacy is now considered a public issue with legal ramifications rather than an internal IT problem.
Moving forward, there’s reason for cautious optimism.
These breaches may no longer be viewed as inevitable if more healthcare organizations begin to recognize the importance of data protection in providing patient care. Higher expectations may begin as a result of the Enzo case, but it does not signal the end of a trend.
And that, more than any settlement amount, could be the real outcome worth watching.
