Johnson & Johnson, already grappling with talc product liability lawsuits, is now facing legal action from patients in relation to a recent data breach. A proposed class action lawsuit has been filed against J&J and IBM over a data breach at J&J’s patient assistance program, Janssen CarePath, which is handled by IBM.
The lawsuit alleges that the companies failed to adequately safeguard personal identity and health information in accordance with industry standards or the Health Insurance Portability and Accountability Act (HIPAA). The complaint was filed in the federal court of the Southern District of New York by a Florida resident.
In addition to seeking class-action status and a jury trial, the lawsuit is pursuing damages and various other remedies, including the removal of existing personal data and enhancements to data security measures for J&J and IBM.
IBM reported the data breach earlier this month, indicating that J&J had identified a technical issue in the Janssen CarePath system and alerted IBM. IBM’s investigation confirmed “unauthorized access to personal information in the database” on August 2 but could not ascertain the full extent of the breach. The Janssen patient assistance platform stores data such as names, contact details, birthdates, medications, and associated conditions, but it does not contain Social Security numbers or bank account information, according to IBM.
Although IBM has taken steps to address the issue, including offering one year of credit monitoring to affected patients, the plaintiff argues that such measures are insufficient. The complaint highlights the enduring risks associated with stolen personal data, which can lead to fraudulent activities and ongoing damage to victims over extended periods.
The lawsuit, represented by Elaine Malinowski, aims to establish a class of potentially thousands of patients affected by the breach. In 2022 alone, the Janssen program aided over 1.16 million American patients in accessing medications, as per J&J’s website. Past data breach lawsuits have resulted in substantial settlements, such as T-Mobile’s $500 million settlement related to a 2021 data breach and Equifax’s $425 million settlement over its 2017 data breach.
In the healthcare sector, Scripps Health agreed in late 2022 to pay nearly $3.6 million to approximately 1.2 million patients whose personal information was compromised during a 2021 data breach. This latest lawsuit adds to the growing concerns surrounding data security and privacy in the healthcare industry.