Johnson & Johnson Discloses IBM Breach Exposing Patient’s Medical Information

According to a notice on Johnson and Johnson owned Janssen Pharmaceutical’s website, CarePath customers’ personal and medical information has been compromised in a data breach involving its third-party technology service provider, IBM.

CarePath is an application designed to help patients gain access to Janssen medications, discounts on prescriptions, guidance on insurance and other helpful tools. IBM manages the CarePath application and database supporting these functions.

After the pharmaceutical firm became aware of a method that could give unauthorized users access to the CarePath database, Janssen informed IBM and the security gap was fixed. IBM then began an investigation which revealed that CarePath users who enrolled on Janssen’s online services before July 2nd had the following details accessed by unauthorized users:

  • Name and contact information
  • Date of birth
  • Health insurance information
  • Medication information
  • Medical condition information

In an unrelated incident last month, the Colorado Department of Health Care Policy & Financing informed four million individuals that their personal and medical data had been exposed due to the breach on IBM.

Emily Phelps, Director, Cyware had this to say:

   “In today’s interconnected world, securing environments is increasingly complex. We have useful technologies that make it easy for individuals and organizations to engage with each relevant data but can also provide unauthorized access to sensitive information. This is why advanced security collaboration and orchestration are so important. Not all security-related technologies play well together, making it difficult for teams to quickly identify gaps and vulnerabilities. We need to not only get the right information to the right people; we need it to be context-rich, making it clear what steps are needed and what action must be taken.”

Ted Miracco, CEO, Approov Mobile Security follows up with this:

   “Healthcare organizations can no longer simply trust the security posture of every vendor in their supply chain, even if that vendor is as trusted as IBM. As medical devices, apps, clouds and partners increasingly integrate, attack surfaces multiply exponentially. Breaches via third parties will continue absent real-time attestation of app, device and user legitimacy on every request. API interconnections cannot automatically imply interoperability of security and healthcare organizations must re-architect environments where every access attempt, especially from mobile devices, is authenticated and authorized.”

Healthcare is a prime target for threat actors because that sector is seen as weak from a cybersecurity standpoint. That sector really needs to do more to stop these sorts of events from happening.

Leave a Reply

%d bloggers like this: