top of page

Data Breach at Janssen CarePath Exposes Sensitive Patient Information, IBM Issues Alerts

In a recent development that raises concerns over data security, the Janssen CarePath platform, a subsidiary of pharmaceutical giant Johnson & Johnson, has experienced a security breach. The breach came to light when tech firm IBM, a service provider to Johnson & Johnson Health Care Systems, issued a statement on September 6, 2023, notifying customers about the incident.

IBM revealed that it was alerted to a "technical issue" that could lead to unauthorized access to the third-party database supporting Janssen. Upon further investigation, it was determined that unauthorized access to personal information occurred on August 2. The compromised data potentially includes customer names, contact information, date of birth, and sensitive medical data such as health insurance details and information about medications and associated medical conditions used in the Janssen CarePath application.

Fortunately, the breach did not expose social security numbers or financial account information. However, the potential impact of this incident is significant, as Janssen reported that approximately 1.16 million patients used its CarePath program in 2022.

IBM has collaborated with the database provider to address the technical issue, but it has cautioned Janssen CarePath users about the possibility of their personal information being exploited by malicious actors. While the exact extent of unauthorized access remains unconfirmed, IBM has advised affected individuals to regularly monitor their account statements and explanations of benefits from their health insurers or care providers for any signs of unauthorized activity and promptly report any suspicious incidents.

Additionally, those individuals whose information may have been compromised have been offered a complimentary one-year credit monitoring service. Cybersecurity experts from around the community weighed in on what this incident means for other organizations and what the industry can learn from it: Nikhil Girdhar, Senior Director of Data Security, Securiti:

"The recent data breach involving Johnson & Johnson's CarePath application underscores the pressing need for a tactical overhaul in healthcare data security. As the sector moves swiftly towards digitization, patient data becomes a prized asset for cybercriminals. This mandates a critical reassessment of Data Security Posture Management (DSPM) strategies across healthcare organizations.

In an environment where patient data is dispersed across multiple platforms, the challenge for security teams—often operating with finite resources—is to effectively pinpoint and secure vulnerable assets. A data-centric approach can optimize resource allocation by focusing on high-value assets. This enables more precise application of safeguards such as least-privilege access controls, data masking, and configuration management, particularly for key applications like Carepath.

The paradigm must also shift from an 'if' to a 'when' mindset regarding breaches. Prioritizing data encryption is not just advisable; it's essential. Moreover, automating incident analysis can accelerate notifications to impacted parties, enabling them to take proactive measures to protect their information. When integrated, these steps forge a formidable defense against increasingly advanced cyber threats, offering security teams the tactical advantage they need." Dror Liwer, co-founder and CSO, Coro:

“It’s critical that companies continuously monitor the security posture of their third party vendors. A giant that sells security products and services such as IBM gets breached and leaks it’s client’s customer’s data should be a red flag to the industry at large. The basics must be covered: Ongoing vendor cyber readiness audits, and a clear data retention policy that is strictly enforced on the vendor. The more of your data your vendors retain for longer, the bigger the exposure.”

Erich Kron, security awareness advocate, KnowBe4:

“This is another unfortunate example of an organization being impacted by their suppliers. While IBM was the technology service provider behind the application and database, the customers are going to remember that their information was lost by Johnson & Johnson Health Care Systems.

“The information that was disclosed, although it did not contain Social Security numbers, could be very valuable for bad actors looking to commit Medicare fraud, or even possibly extorting customers by threatening to release what could be potentially embarrassing medical conditions or procedures. In addition, this information could be used to create extremely targeted social engineering attacks that reference this information to make them seem legitimate. While IBM says there is no indication that the data has been misused yet, victims should certainly not let their guard down. It could take months or even longer for the misuse of this information to be discovered.

“Potential victims of this breach should be very cautious with emails, phone calls, or even text messages that refer to past medical procedures or conditions, or reference any of the other information that was exposed. Organizations should consider this a lesson in potential issues through vendors, and should ensure that they have a plan to deal with the possibility of issues such as this prior to it happening to them.” ###


bottom of page