U.S. pharmaceutical giant Johnson & Johnson (Janssen) has disclosed a data breach stemming from a third-party healthcare IT service provider IBM.
The security breach impacted the IBM-managed Janssen CarePath application, allowing customers to access medication and information resources about health insurance options, discounts, out-of-pocket costs, and patient support.
IBM is still assessing the scope of the healthcare leak, notified impacted individuals, and taken additional measures to protect the victims.
Third-party service provider’s data breach leaked Janssen customers’ data
In a data breach notification posted online, Johnson & Johnson said it discovered an access method that could allow threat actors to obtain unauthorized access to personal information.
Janssen notified IBM, which immediately fixed the issue and launched an investigation. On September 6, 2023, IBM’s probe discovered that unauthorized access to personal information occurred on August 2, 2023, and notified Janssen’s CarePath customers and users.
While the IT service provider could not assess the scope of the incident, it determined that the data breach leaked users’ dates of birth, contact information, and medical information about health conditions captured by the system.
However, the Janssen leak did not expose Social Security Numbers and financial account information because the system did not capture it.
The data breach impacted customers who enrolled before July 2, 2023, but excluded Janssen’s Pulmonary Hypertension patients. So far, IBM has not disclosed the number of victims impacted but has notified all CarePath customers “out of an abundance of caution.” In 2022, approximately 1.16 million patients had enrolled in the CarePath program.
Meanwhile, IBM has found no evidence that the information has been misused and is offering 12 months of free credit monitoring to protect victims from identity theft and fraud. The healthcare IT service provider also encourages impacted patients to remain vigilant for attempted phishing attacks and monitor their financial accounts for irregularities. Threat actors could monetize the breach by selling the stolen medical data and using the contact information for targeted phishing.
IBM has disabled the access method and implemented additional security controls to prevent similar data breaches in the future.
Speculations of another MOVEit data breach
In August, the IT service provider disclosed a MOVEit data breach that impacted the Colorado Department of Health Care Policy & Financing (HCPF) and Missouri’s Department of Social Services (DSS).
The healthcare IT service provider has disputed speculations that the Janssen CarePath leak resulted from a MOVEit hack. IBM has not disclosed the attack vector, but the “technical method” exploited suggests an unsecured cloud database, exposed API, or unpatched vulnerability.
“The recent data breach involving Johnson & Johnson’s CarePath application underscores the pressing need for a tactical overhaul in healthcare data security,” said Nikhil Girdhar, Senior Director of Data Security at Securiti. “As the sector moves swiftly towards digitization, patient data becomes a prized asset for cybercriminals. This mandates a critical reassessment of Data Security Posture Management (DSPM) strategies across healthcare organizations.”
While no system can be 100% foolproof, organizations face criticism for failing to prevent, detect, and promptly remediate data breaches.
Ted Miracco, CEO at Approov, warned healthcare organizations against blindly trusting vendors, including reputable ones like IBM.
“Healthcare organizations can no longer simply trust the security posture of every vendor in their supply chain, even if that vendor is as trusted as IBM,” Miracco said. “As medical devices, apps, clouds, and partners increasingly integrate, attack surfaces multiply exponentially. Breaches via third parties will continue absent real-time attestation of app, device, and user legitimacy on every request.”
“API interconnections cannot automatically imply interoperability of security, and healthcare organizations must re-architect environments where every access attempt, especially from mobile devices, is authenticated and authorized,” added Miracco.
There is no evidence to suggest that the healthcare IT service provider was negligent. However, the Janssen data breach likely stemmed from human error or security oversight.