IBM: Janssen health database breached in cyber incident


IBM announced Wednesday that an unauthorized party breached the patient healthcare database it manages for the Johnson & Johnson-owned Janssen CarePath platform. Many of the patients are or have been treated for serious diseases, such as cancer.

The tech giant says it has begun to notify patients whose information may have been compromised in the breach, discovered on August 2nd.

The IBM-run database is used by Janssen CarePath, a free patient support platform that offers savings on advanced prescription medicines and other patient resources.

ADVERTISEMENT

Although Janssen products and research span 150 countries, the CarePath platform helps patients in the US only, who have been prescribed Janssen medications by their doctors.

IBM says the breach exposed the sensitive information of an undisclosed number of patients, including contact information, date of birth, health insurance information, and information about medications and associated conditions that were provided to the Janssen CarePath application.

The CarePath platform is a subsidiary of the US-based Janssen Pharmaceuticals, which is owned by Johnson & Johnson (J&J) and is the manufacturer of dozens of heavy-duty prescription drugs used to treat significant and complex diseases, such as cancer and HIV, as well as the maker of the J&J COVID-19 vaccine.

So far, IBM has not been able to determine the extent of the unauthorized access, but said Social Security numbers and financial account information were not stored in the compromised database.

IBM, which has labeled the breach as a “data incident,” posted the notification on its website Wednesday out of “an abundance of caution,” as did Janssen CarePath.

Janssen said the notice only applies to patients who were enrolled in services prior to July 2nd, and furthermore does not apply to pulmonary hypertension patients.

What happened?

The incident began when Janssen became aware of a "technical method" allowing unauthorized access to the database, the companies stated.

ADVERTISEMENT

“After being informed of the issue by Janssen, IBM and the database provider promptly identified and implemented steps that disabled the technical method at issue,” IBM said.

While investigating the incident, IBM discovered that personal information of patients stored in the database had been accessed on August 2nd.

“IBM also worked with the database provider to augment security controls to reduce the chance of a similar event occurring in the future,” the notice said.

There is no indication of how long the database had been vulnerable to outside access.

IBM has set-up a toll free hotline and is offering one year of credit monitoring free of charge to those affected by the security breach.