Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

IBM Says 631K Affected in Johnson & Johnson Database Breach

IBM Blames 'Technical Method' for Allowing Unauthorized Access to Patient Info
IBM Says 631K Affected in Johnson & Johnson Database Breach
IBM said nearly 631,000 individuals are affected by a recent database incident involving Johnson & Johnson's Janssen CarePath service. (Image: IBM, J&J)

IBM has reported to federal regulators that the personal information of 631,000 people was compromised by a "technical method" that allowed unauthorized access to a third-party database used by a Johnson & Johnson patient medication support platform. IBM said the problem has been fixed, but two lawsuits have already been filed.

See Also: How to Build Your Cyber Recovery Playbook

The data breach, which was publicly disclosed last month by IBM and Johnson & Johnson but was just posted this week on the Department of Health and Human Services' HIPAA Breach Reporting Tool website, is also already the subject of at least two proposed federal class action lawsuits filed against the companies.

On Oct. 2, a federal judge in the U.S. District Court for the Southern District of New York who is handling the two lawsuits, which were filed in late September, ordered that the pair of cases be consolidated.

Each of the lawsuits makes similar allegations against IBM and Johnson & Johnson, including claims that the companies were negligent in failing to protect individuals' sensitive protected health information and personal identifiable information from unauthorized access.

"As a result, representative plaintiff's and class members' PHI/PII was compromised through disclosure to an unknown and unauthorized third party - an undoubtedly nefarious third party seeking to profit off this disclosure by defrauding representative plaintiff and class members in the future," alleges the lawsuit filed on Sept. 22 by Elaine Malinowski on behalf of herself and others similarly situated.

The lawsuits seek financial damages for plaintiffs and class members, as well as injunctive orders for IBM and Johnson & Johnson to improve their data security practices.

IBM manages the application and the third-party database that supports Johnson & Johnson' Janssen CarePath platform, which offers support services and resources to patients prescribed Janssen medications by their healthcare providers.

Breach Details

Janssen CarePath said it had recently become aware of a "technical method" that allowed unauthorized access to a third-party database managed by IBM. Upon immediately notifying IBM of the problem, the tech giant promptly remediated the issue and investigated the incident, Janssen said in its breach notice.

IBM's investigation found unauthorized access to personal information in the database on Aug. 2, but the tech firm could not determine the scope of the access, the breach notice said.

IBM, a HIPAA business associate of Johnson & Johnson, is notifying Janssen CarePath customers and users whose information was stored in the affected database.

Information potentially compromised in the incident includes individuals' names, contact information, birthdates, health insurance information, and information about medications and associated conditions that were provided to the Janssen CarePath application. Social Security numbers and financial account information were not contained in the affected database, IBM said.

IBM is offering affected individuals one year of complimentary credit and identity monitoring and has also worked with the database provider "to augment security controls to reduce the chance of a similar event occurring in the future," the company said.

IBM declined Information Security Media Group's request for additional details about the incident, including details pertaining to the database and the "technical method" that permitted unauthorized access to data. IBM also declined ISMG's request for comment on the proposed class action lawsuits.

Johnson & Johnson did not immediately respond to ISMG's request for additional details about the incident and for comment on the lawsuits.

Business associates and other third-party vendors have been at the center of many of the largest health data breaches reported so far in 2023.

They include apparent stand-alone incidents, such as the IBM/Johnson & Johnson compromise, and significant hacks involving widely used software products, such as Progress Software's MOVEit and Fortra's GoAnywhere file transfer software.

As of Tuesday, the HHS' Office for Civil Rights' website shows that of the 524 major health data breaches affecting 88.7 million individuals reported so far in 2023, about 40% - or 211 incidents affecting nearly 54 million individuals - involved business associates that handle PHI.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.