Sensitive patient data may have been accessed following a breach of the Janssen CarePath platform, a subsidiary of pharmaceutical giant Johnson & Johnson.
Tech firm IBM, a service provider to Johnson & Johnson Health Care Systems, notified customers of the incident in a statement on September 6, 2023.
IBM explained it was alerted to a “technical issue” by which unauthorized access to the third-party database that supports Janssen could be obtained.
Upon investigation, it discovered that there was unauthorized access to personal information in the database on August 2. This may have included customers’ names, contact information, date of birth as well as sensitive medical data, such as health insurance details and information on medications and associated conditions that were provided to the Janssen CarePath application.
However, social security numbers and financial account information were not contained in the database or affected.
The breach could affect in excess of a million individuals, with Janssen reporting that 1.16 million patients use its CarePath program in 2022.
IBM has worked with the database provider to address the technical issue, but warned Janssen customers about the potential for their personal information to be misused by malicious actors.
Although IBM has not been able to confirm the extent of access to patient data, it has advised Janssen CarePath users to regularly review account statements and explanations of benefits from their health insurer or care providers with respect to any unauthorized activity, and to promptly report any suspicious activity.
In addition, individuals whose information was potentially affected have been offered a complimentary one-year credit monitoring service.
Commenting on the story, William Wright, CEO of Closed Door Security, noted that IBM’s description of how the database was accessed as a “technical method” suggests it could been via an unpatched vulnerability or a failure to properly secure the database against external access.
“These are two concerning security issues, but they plague organizations every day because of a failure to carry out regular and effective security testing,” said Wright.
He added that the sensitive nature of the data exposed in the incident could be a “gold mine” for malicious actors.
“Healthcare data is the most valuable information on the dark web, so attackers have multiple ways to monetise from it – either by selling it on or exploiting victims further. IBM must communicate with those impacted as a matter of urgency, because they need to be on guard for further attacks,” he stated.