- Janssen CarePath data breach exposed names, contact info, insurance info, and medication data.
- IBM disabled a “technical method” used to gain unauthorized access.
- Complimentary 1-year credit monitoring is offered.
- Janssen CarePath users should monitor account statements.
- Data breach is a reminder to protect personal info.
IBM, a service provider to Johnson & Johnson Health Care Systems, Inc., has notified customers and users of the Janssen CarePath patient support platform of a data breach that may have exposed personal information.
The breach involved unauthorized access to a database used by Janssen CarePath. The information that may have been compromised includes individuals’ names and one or more of the following: contact information, date of birth, health insurance information, and information about medications and associated conditions. Social Security numbers and financial account information were not contained in the database or affected.
IBM said that it was notified of the issue by Janssen on August 2, 2023 and that it promptly worked with the database provider to disable the technical method that was used to gain unauthorized access. IBM also augmented security controls to reduce the chance of a similar event occurring in the future.
While there is no indication that any of the involved information has been misused, a complimentary one-year credit monitoring service is being offered to individuals whose information may have been involved. Individuals can arrange for credit monitoring by following the instructions in the notification letters that they receive or by calling the dedicated call center.
Janssen CarePath users are encouraged to remain vigilant by regularly reviewing their account statements and explanations of benefits from their health insurer or care providers with respect to any unauthorized activity and to promptly report any suspicious activity.
In response to the news, William Wright, CEO of Closed Door Security told Hackrad.com that, “IBM hasn’t provided information around how the database was accessed, however, by saying it identified a ‘technical method’, this sounds like it could have been via an unpatched vulnerability, or a failure to properly secure the database against external access.”
“Organisations must run regular pen tests on their assets to identify unpatched vulnerabilities and to spot network blind spots that could be exploited by adversaries. These security assessments must be attack-driven, where all the different routes an attacker could take to infiltrate the network are tested and sealed. Otherwise, as we are seeing here, it won’t be long before an adversary identifies and exploits them,” William added.
“IBM is clearly still investigating the incident, but the data potentially exposed could be a gold mine for attackers. Healthcare data is the most valuable information on the dark web, so attackers have multiple ways to monetise from it – either by selling it or exploiting victims further,” he wanted. “IBM must communicate with those impacted as a matter of urgency because they need to be on guard for further attacks.”
The data breach is the latest in a series of high-profile security incidents affecting healthcare organizations. In recent months, there have been data breaches at Apria, LabCorp, Quest Diagnostics, and Anthem.
The Janssen CarePath data breach is a reminder of the importance of data security in the healthcare industry. Healthcare organizations should take steps to protect patient data, including implementing strong security controls and conducting regular security assessments.
