IBM and Johnson & Johnson are being sued over a data breach that occurred in August that could put over 1 million Janssen CarePath patients at risk of identity theft.
A class action lawsuit was recently filed that seeks to hold IBM and Johnson & Johnson Health Care Systems responsible for a “massive and preventable” 2023 data breach that compromised the sensitive information of thousands of people who were enrolled in Janssen CarePath services.
According to the lawsuit, the companies claim to have discovered the cyberattack as early as August 2, 2023 but they did not inform victims until September 15, 2023 leaving consumers “wholly unaware” that their data had been stolen until they received letters from IBM and Johnson & Johnson Health Care Systems.
The breach reportedly impacted consumers who were enrolled in Janssen CarePath, a support program owned by Johnson & Johnson Health Care Systems for patients taking Janssen medications, prior to July 2, 2023.
According to the lawsuit, consumers’ names, contact information, and medication and medical condition details were compromised in the IBM and Johnson & Johnson Health Care Systems data breach.
The filing alleges the companies “disregarded the rights” of consumers by failing to ensure that their network servers were adequately protected.
The suit notes that the information in the care of the defendants was subject to Health Insurance Portability and Accountability Act (HIPAA) regulations, under which companies like IBM and Johnson & Johnson Health Care Systems are required to have in place appropriate safeguards to protect sensitive medical and personal data.
A notice on Janssen CarePath’s website states that IBM manages the application and third-party database that supports the program. Per the notice, Janssen became aware of a “technical method” by which someone could access its database without authorization and promptly notified IBM, who quickly “remediated the issue.” Although IBM’s subsequent investigation identified that there was unauthorized access to the database, the scope of that access was as-yet unknown, leading IBM to begin to notify data breach victims, Janssen relayed.
The lawsuit contends that the defendants’ data breach notice “lacked sufficient information” on how the cyberattack occurred, what safeguards have been added in its wake, and where the compromised information exists today.
According to the suit, consumers “remain in the dark” with regard to what data was stolen and the particular kind of malware used by the perpetrators. As such, data breach victims are “left to speculate” as to where their sensitive data ended up, who has used it, and for what purposes, the case emphasizes.
The suit argues that the one-year subscription to Equifax monitoring services offered by the defendants is inadequate as victims will “likely face many years of identity theft” due to the data breach. Moreover, this offer places the burden on consumers, rather than on the companies, to watch for and report suspicious activity.
“Rather than automatically enrolling Representative Plaintiff and Class Members in credit monitoring services upon discovery of the Data Breach, Defendants merely sent instructions to Representative Plaintiff and Class Members about actions they could affirmatively take to protect themselves,” the filing reads.
Join the IBM Johnson & Johnson Healthcare data breach lawsuit.
The lawsuit looks to cover all individuals in the United States whose personal and/or health information was exposed to unauthorized third parties as a result of the data breach discovered by IBM and Johnson & Johnson Health Care systems on September 15, 2023.