Janssen Pharmaceutical’s CarePath Application Data Breach Exposes Personal Information

By   ISBuzz Team
Writer , Information Security Buzz | Sep 11, 2023 03:21 am PST

In a recent cybersecurity incident, Janssen Pharmaceutical’s CarePath application experienced a data breach, potentially exposing sensitive personal and medical information of its customers. The breach was linked to the application’s third-party technology service provider, IBM.

CarePath, an application owned by Johnson and Johnson’s subsidiary, Janssen Pharmaceutical, is designed to assist patients in accessing Janssen medications, prescription discounts, insurance guidance, and other useful tools. IBM is responsible for managing the CarePath application and the database that supports its functions.

The breach came to light when Janssen Pharmaceutical identified a vulnerability that could have allowed unauthorized individuals to access the CarePath database. Following this discovery, Janssen promptly informed IBM, which swiftly addressed the security gap. Subsequently, IBM initiated an investigation into the incident.

The investigation revealed that unauthorized users had gained access to the personal and medical information of CarePath users who had enrolled in Janssen’s online services prior to July 2, 2023. The compromised data included:

– Name and contact information

– Date of birth

– Health insurance details

– Medication information

– Medical condition information

Notably, this breach does not impact patients who enrolled on or after July 2, 2023, nor does it affect Janssen’s Pulmonary Hypertension patients.

In an unrelated incident from the previous month, the Colorado Department of Health Care Policy & Financing disclosed a breach involving IBM, affecting four million individuals, leading to the exposure of their personal and medical data.

While there is currently no evidence of the compromised information being misused, IBM is taking precautionary measures. They are offering complimentary one-year credit monitoring services to individuals whose information may have been affected.

Janssen CarePath users are advised to remain vigilant by regularly reviewing their account statements and explanations of benefits from health insurers or healthcare providers. Any suspicious activity should be reported promptly.

IBM has established a toll-free center for inquiries related to this incident, open Monday through Friday from 9:00 a.m. to 9:00 p.m. ET (excluding major U.S. holidays). For more information, individuals can contact:

– For individual users: (888) 604-6584

– For healthcare providers: (877) 792-3593

Both Janssen and IBM are committed to enhancing information security measures to protect against evolving cyber threats. This incident underscores the importance of ongoing vigilance in safeguarding personal and medical data in an increasingly digital world.

Notify of
5 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
William Wright
September 11, 2023 11:26 am

“IBM hasn’t provided information around how the database was accessed, however, by saying it identified a ‘technical method’, this sounds like it could have been via an unpatched vulnerability, or a failure to properly secure the database against external access.

These are two concerning security issues, but they plague organisations every day because of a failure to carry out regular and effective security testing.

Organisations must run regular pen tests on their assets to identify unpatched vulnerabilities and to spot network blind spots that could be exploited by adversaries. These security assessments must be attack-driven, where all the different routes an attacker could take to infiltrate the network are tested and sealed. Otherwise, as we are seeing here, it won’t be long before an adversary identifies and exploits them.

IBM is clearly still investigating the incident, but the data potentially exposed could be a gold mine for attackers. Healthcare data is the most valuable information on the dark web, so attackers have multiple ways to monetise from it – either by selling it on or exploiting victims further.

IBM must communicate with those impacted as a matter of urgency, because they need to be on guard for further attacks.”

Last edited 5 months ago by william.wright
Nick Tausek
Nick Tausek , Security Solutions Architect
September 11, 2023 11:25 am

“Johnson & Johnson Health Care Systems has announced that customers of CarePath, an application designed to help patients manage prescriptions, had their sensitive information leaked via a third-party breach involving IBM. According to an internal investigation, personally identifiable information (PII) such as full name, date of birth and sensitive healthcare information was accessed during the breach and now opens victims up to further attacks such as phishing.

Healthcare organizations continue to be a target for threat actors due to the degree of sensitive information stored in their systems. Because of this, bad actors tend to have the mindset that they will be more likely to pay larger sums of money to regain control of this information.

To avoid cyberattacks and resulting data breaches such as the one experienced by CarePath customers, healthcare organizations need to implement appropriate measures to keep their valuable data secure. Cybersecurity platforms that integrate detection, response, and investigation capabilities into a single program can provide full visibility of IT environments, enable real-time threat detection and response, and reduce risks of data exposure. By utilizing low-code security automation, healthcare companies can enhance their data protection level, safeguard sensitive patient information, and continue to fulfill their mission of serving the public.”

Last edited 5 months ago by Nick Tausek
Nikhil Girdhar
Nikhil Girdhar , Senior Director of Data Security
September 11, 2023 11:23 am

“The recent data breach involving Johnson & Johnson’s CarePath application underscores the pressing need for a tactical overhaul in healthcare data security. As the sector moves swiftly towards digitization, patient data becomes a prized asset for cybercriminals. This mandates a critical reassessment of Data Security Posture Management (DSPM) strategies across healthcare organizations.

In an environment where patient data is dispersed across multiple platforms, the challenge for security teams—often operating with finite resources—is to effectively pinpoint and secure vulnerable assets. A data-centric approach can optimize resource allocation by focusing on high-value assets. This enables more precise application of safeguards such as least-privilege access controls, data masking, and configuration management, particularly for key applications like Carepath.

The paradigm must also shift from an ‘if’ to a ‘when’ mindset regarding breaches. Prioritizing data encryption is not just advisable; it’s essential. Moreover, automating incident analysis can accelerate notifications to impacted parties, enabling them to take proactive measures to protect their information. When integrated, these steps forge a formidable defense against increasingly advanced cyber threats, offering security teams the tactical advantage they need.”

Last edited 5 months ago by Nikhil Girdhar
Ted Miracco
Ted Miracco , CEO
September 11, 2023 11:23 am

“Healthcare organizations can no longer simply trust the security posture of every vendor in their supply chain, even if that vendor is as trusted as IBM. As medical devices, apps, clouds and partners increasingly integrate, attack surfaces multiply exponentially. Breaches via third parties will continue absent real-time attestation of app, device and user legitimacy on every request. API interconnections cannot automatically imply interoperability of security and healthcare organizations must re-architect environments where every access attempt, especially from mobile devices, is authenticated and authorized.”

Last edited 5 months ago by Ted.Miracco
Emily Phelps
Emily Phelps , Director
September 11, 2023 11:22 am

“In today’s interconnected world, securing environments is increasingly complex. We have useful technologies that make it easy for individuals and organizations to engage with each relevant data but can also provide unauthorized access to sensitive information. This is why advanced security collaboration and orchestration are so important. Not all security-related technologies play well together, making it difficult for teams to quickly identify gaps and vulnerabilities. We need to not only get the right information to the right people; we need it to be context-rich, making it clear what steps are needed and what action must be taken.”

Last edited 5 months ago by Emily Phelps

Recent Posts

Would love your thoughts, please comment.x