A technical vulnerability has led to “unauthorized access” to personal data within Johnson & Johnson’s Janssen CarePath patient assistance program, as reported by IBM on Wednesday.
Following an internal investigation, IBM has been unable to ascertain the extent of the breach, including how many accounts were affected or precisely which information may have been compromised. In response to this incident, IBM is taking proactive steps and reaching out to all Janssen CarePath customers “out of an abundance of caution,” according to a statement from the technology giant.
The Janssen CarePath program, designed to assist patients, helped over 1.16 million patients in the United States access medications in 2022 alone. This free initiative aids patients by guiding them through health insurance processes, offering information to initiate and maintain treatment, and providing options to manage out-of-pocket expenses.
According to IBM’s account of the situation, Johnson & Johnson initially became aware of a technical vulnerability in the Janssen CarePath system. Once notified, IBM, the service’s manager, took swift action to rectify the issue.
IBM’s investigation has determined that there was indeed “unauthorized access to personal information in the database” on August 2nd. The compromised data may include individuals’ names, contact details, dates of birth, health insurance information, as well as information related to medications and associated health conditions. However, sensitive data such as Social Security numbers and bank account information were not stored in the affected database.
As a precautionary measure, IBM is offering one year of credit monitoring services to patients enrolled in Janssen CarePath. It’s important to note that any data breach involving personal information remains a permanent concern.
When asked for additional information, a Janssen spokesperson declined to comment further, while an IBM media representative indicated that the company does not anticipate providing more details beyond the initial announcement.
It remains uncertain whether other pharmaceutical companies also rely on IBM to manage their patient assistance programs or if similar incidents have occurred in the industry. This incident is not the first instance of private patient data exposure within the biopharmaceutical sector in recent years. In 2021, records from AstraZeneca’s internal server were inadvertently made accessible on the developer platform GitHub, potentially exposing patient data, including those enrolled in the AZ&Me drug savings program.
Moreover, biopharmaceutical companies have increasingly become targets of cyberattacks. For instance, Japanese pharmaceutical company Eisai experienced a ransomware attack in June, while Sun Pharma disclosed an IT security breach in March, necessitating the isolation of affected systems. These incidents highlight the growing importance of cybersecurity and data protection in the healthcare and pharmaceutical sectors.
