NEW YORK, Aug 13 (Reuters) - Enzo Biochem ( ENZ ) will

pay $4.5 million to settle regulatory charges that lax security

protocols contributed to an April 2023 cyberattack that

compromised Social Security numbers, health histories and other

information for about 2.4 million patients.

Tuesday's settlement with New York, New Jersey and

Connecticut resolved claims that Enzo did not adequately

safeguard patients' personal and private health information, New

York Attorney General Letitia James said.

According to an assurance of discontinuance signed by Enzo,

cyberattackers accessed the biotechnology company's network with

two log-in credentials that were shared by five Enzo employees,

including one credential that had not changed in a decade.

Attackers then installed malware on several systems, which

the Farmingdale, New York-based company needed several days to

discover because it did not monitor for suspicious activity.

Prior to and as part of the settlement, Enzo is bolstering

security, including by requiring stronger passwords and

two-factor authentication, encrypting personal information, and

developing a plan to respond to cyberattacks faster.

Enzo began alerting patients to the breach in June 2023.

About 1.46 million New Yorkers were affected, including

about 405,000 whose Social Security numbers were compromised.

New York will receive $2.8 million from the settlement.

"Getting blood work or medical testing should not result in

patients having their personal and health information stolen by

cybercriminals," James said in a statement.

Enzo did not immediately respond to a request for comment.

The company exited clinical lab testing last August.