IBM Data Breach Exposes Sensitive Information of Johnson & Johnson CarePath Customers

Johnson & Johnson Health Care Systems, also known as Janssen, has recently notified its CarePath customers about a data breach involving IBM, a technology service provider for Janssen. This breach has resulted in the compromise of sensitive customer information.

The CarePath application and database, which are managed by IBM, offer various services to patients, including access to Janssen medications, discounts on eligible prescriptions, insurance coverage guidance, and drug refiling and administering alerts.

According to a notice on Janssen’s website, the pharmaceutical firm discovered an undocumented method that could potentially grant unauthorized users access to the CarePath database. Janssen promptly reported this security gap to IBM, who took immediate action to fix the issue and initiated an internal investigation to determine if the vulnerability had been exploited.

Unfortunately, the investigation concluded on August 2nd, 2023, revealed that unauthorized users had gained access to the following CarePath user details:

• Full name
• Contact information
• Date of birth
• Health insurance information
• Medication information
• Medical condition information

The data exposure affects CarePath users who enrolled in Janssen’s online services prior to July 2nd, 2023. This suggests that the breach may have occurred on that date or that the breached database was a backup.

Fortunately, social security numbers and financial account data were not stored in the breached database, so these critical details have not been compromised.

It is important to note that Janssen has clarified that this security incident does not impact its Pulmonary Hypertension patients.

The compromised data has the potential to facilitate highly effective phishing, scamming, and social engineering attacks. Given the value of medical data, it is highly likely that the stolen information will be sold for a premium on darknet markets.

In a separate announcement, IBM has stated that there are currently no indications of the stolen data being misused. However, the company advises Janssen CarePath users to remain vigilant and closely monitor their account statements for any suspicious activity. As an additional precautionary measure, IBM is offering one year of free credit monitoring to all affected individuals.

Both Janssen and IBM have provided toll-free numbers for providers and users to call if they have any questions or require assistance with enrolling in credit monitoring services.

It is worth mentioning that earlier this year, IBM was one of the many entities targeted by the Clop ransomware. This cyber attack exploited a zero-day vulnerability in the MOVEit Transfer software, which is widely used by organizations worldwide. However, it is currently unclear whether the Janssen breach is connected to this incident or if it was orchestrated by different threat actors.

We have reached out to IBM for further information regarding the Janssen breach and the number of individuals affected. We will update this post as soon as we receive a response.