back to article Enzo Biochem ordered to cough up $4.5 million over lousy security that led to ransomware disaster

Biotech biz Enzo Biochem is being forced to pay three state attorneys general a $4.5 million penalty following a 2023 ransomware attack that compromised the data of more than 2.4 million people. New York's attorney general Letitia James announced the news on Tuesday after an investigation into Enzo's incident concluded, …

  1. ecofeco Silver badge
    Gimp

    All the budget you want can't fix stupid

    While ITsec is often the step child of the company budgets, even given an unlimited budget, you can't stop some employees, AND ESPECIALLY THE EXECUTIVES, from ignoring it all. There are no consequence for them, is there.

  2. Doctor Syntax Silver badge

    OK, that's the small change taken care of. Now fork out for realistic compensation to those whoe information was nicked. $2 per head isn't anywhere near realistic.

  3. Anonymous Coward
    Anonymous Coward

    The healthcare industry as a whole is extremely bad.

    I want to say "exceptionally", but I honestly don't know.

    I have worked directly with many of the biggest names in health insurance and doctors groups. Just last week, we had a strong insistence from a doctors group that they could not do TLS. It turned out that their parent company had already implemented it (and I had personally validated it), but whomever the local "technical" person was was multi-dimensionaly clueless.

    We updated our SFTP servers a couple of years ago--it broke some of our connections because their servers, coming from one of the larger health data exchanges, could only support ciphers that were no longer supported by sshd on the updated server. The IBM India contractor created a ticket to update their connection to support the oldest cipher suite my updated system could support.

    Last fall, we had a mid-sized insurance company insist that we log in and pull data from them--except their sftp server only configured to support cipher suites that had been deprecated for ten years, and that were now finally dropped by ssh client.

    Not to mention UHC.

    And of course, these are the SAME companies that are insisting that we rotate everyone's passwords every month or three despite NIST reversing that recommendation--in 2017.

    The thing is, that the ongoing cost of securing services is one that the bean counters see as optional. And the truth is, in the current legal environment it is. That's the dirty little secret. Look at Enzo's financials.

    Until we get criminal individual negligence involved, nothing is going to change.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like