In a recent cybersecurity incident, Janssen Pharmaceutical’s CarePath application experienced a data breach, potentially exposing sensitive personal and medical information of its customers. The breach was linked to the application’s third-party technology service provider, IBM.
CarePath, an application owned by Johnson and Johnson’s subsidiary, Janssen Pharmaceutical, is designed to assist patients in accessing Janssen medications, prescription discounts, insurance guidance, and other useful tools. IBM is responsible for managing the CarePath application and the database that supports its functions.
The breach came to light when Janssen Pharmaceutical identified a vulnerability that could have allowed unauthorized individuals to access the CarePath database. Following this discovery, Janssen promptly informed IBM, which swiftly addressed the security gap. Subsequently, IBM initiated an investigation into the incident.
The investigation revealed that unauthorized users had gained access to the personal and medical information of CarePath users who had enrolled in Janssen’s online services prior to July 2, 2023. The compromised data included:
– Name and contact information
– Date of birth
– Health insurance details
– Medication information
– Medical condition information
Notably, this breach does not impact patients who enrolled on or after July 2, 2023, nor does it affect Janssen’s Pulmonary Hypertension patients.
In an unrelated incident from the previous month, the Colorado Department of Health Care Policy & Financing disclosed a breach involving IBM, affecting four million individuals, leading to the exposure of their personal and medical data.
While there is currently no evidence of the compromised information being misused, IBM is taking precautionary measures. They are offering complimentary one-year credit monitoring services to individuals whose information may have been affected.
Janssen CarePath users are advised to remain vigilant by regularly reviewing their account statements and explanations of benefits from health insurers or healthcare providers. Any suspicious activity should be reported promptly.
IBM has established a toll-free center for inquiries related to this incident, open Monday through Friday from 9:00 a.m. to 9:00 p.m. ET (excluding major U.S. holidays). For more information, individuals can contact:
– For individual users: (888) 604-6584
– For healthcare providers: (877) 792-3593
Both Janssen and IBM are committed to enhancing information security measures to protect against evolving cyber threats. This incident underscores the importance of ongoing vigilance in safeguarding personal and medical data in an increasingly digital world.
“IBM hasn’t provided information around how the database was accessed, however, by saying it identified a ‘technical method’, this sounds like it could have been via an unpatched vulnerability, or a failure to properly secure the database against external access.
These are two concerning security issues, but they plague organisations every day because of a failure to carry out regular and effective security testing.
Organisations must run regular pen tests on their assets to identify unpatched vulnerabilities and to spot network blind spots that could be exploited by adversaries. These security assessments must be attack-driven, where all the different routes an attacker could take to infiltrate the network are tested and sealed. Otherwise, as we are seeing here, it won’t be long before an adversary identifies and exploits them.
IBM is clearly still investigating the incident, but the data potentially exposed could be a gold mine for attackers. Healthcare data is the most valuable information on the dark web, so attackers have multiple ways to monetise from it – either by selling it on or exploiting victims further.
IBM must communicate with those impacted as a matter of urgency, because they need to be on guard for further attacks.”
Is there a class action suit so that i can be compensated for this breach?
“Johnson & Johnson Health Care Systems has announced that customers of CarePath, an application designed to help patients manage prescriptions, had their sensitive information leaked via a third-party breach involving IBM. According to an internal investigation, personally identifiable information (PII) such as full name, date of birth and sensitive healthcare information was accessed during the breach and now opens victims up to further attacks such as phishing.
Healthcare organizations continue to be a target for threat actors due to the degree of sensitive information stored in their systems. Because of this, bad actors tend to have the mindset that they will be more likely to pay larger sums of money to regain control of this information.
To avoid cyberattacks and resulting data breaches such as the one experienced by CarePath customers, healthcare organizations need to implement appropriate measures to keep their valuable data secure. Cybersecurity platforms that integrate detection, response, and investigation capabilities into a single program can provide full visibility of IT environments, enable real-time threat detection and response, and reduce risks of data exposure. By utilizing low-code security automation, healthcare companies can enhance their data protection level, safeguard sensitive patient information, and continue to fulfill their mission of serving the public.”
“The recent data breach involving Johnson & Johnson’s CarePath application underscores the pressing need for a tactical overhaul in healthcare data security. As the sector moves swiftly towards digitization, patient data becomes a prized asset for cybercriminals. This mandates a critical reassessment of Data Security Posture Management (DSPM) strategies across healthcare organizations.
In an environment where patient data is dispersed across multiple platforms, the challenge for security teams—often operating with finite resources—is to effectively pinpoint and secure vulnerable assets. A data-centric approach can optimize resource allocation by focusing on high-value assets. This enables more precise application of safeguards such as least-privilege access controls, data masking, and configuration management, particularly for key applications like Carepath.
The paradigm must also shift from an ‘if’ to a ‘when’ mindset regarding breaches. Prioritizing data encryption is not just advisable; it’s essential. Moreover, automating incident analysis can accelerate notifications to impacted parties, enabling them to take proactive measures to protect their information. When integrated, these steps forge a formidable defense against increasingly advanced cyber threats, offering security teams the tactical advantage they need.”
“Healthcare organizations can no longer simply trust the security posture of every vendor in their supply chain, even if that vendor is as trusted as IBM. As medical devices, apps, clouds and partners increasingly integrate, attack surfaces multiply exponentially. Breaches via third parties will continue absent real-time attestation of app, device and user legitimacy on every request. API interconnections cannot automatically imply interoperability of security and healthcare organizations must re-architect environments where every access attempt, especially from mobile devices, is authenticated and authorized.”