Johnson & Johnson could be facing yet another class action lawsuit, but this time not for its talc baby powder, but rather a patient data breach.
The company and computer software giant IBM may be served a class action lawsuit over a patient data breach at Janssen CarePath, Johnson & Johnson’s patient assistance program, the portal for which is run by IBM.
The lawsuit was filed with the federal court in the Southern District of New York by an individual in Florida who claims the companies failed to adequately protect patients’ personal identity and health information as per the Health Insurance Portability and Accountability Act. The plaintiff is being represented by Lynch Carpenter, LLP, which is investigating the claims.
IBM notified Janssen CarePath of the security compromise earlier this month, saying the “data incident” may have included individuals’ full names, contact details and information related to health insurance and medications that were collected as part of the Janssen CarePath application.
IBM said Janssen noticed a technical problem in Janssen CarePath and alerted IBM. After an investigation, the tech giant said it came across “unauthorized access to personal information in the database” on August 2 but couldn’t determine the extent of the breach.
Lynch Carpenter said the cybersecurity attack could have “potentially impacted the personal information of over a million patients.”
The Janssen CarePath online platform is free for registered patients, providing patients and healthcare professionals in the US with information about insurance coverage, out-of-pocket costs and prescribing information about medications.
While Johnson & Johnson’s patient assistance platform holds information including patient names, dates of birth, contact information, medication details and health conditions, IBM said it does not have information like social security numbers and bank accounts.
IBM has assured users that the problem has been fixed. And after the incident, patients are being offered one year of credit monitoring.
However, for individuals like Florida resident Elaine Malinowski, who filed the lawsuit against Johnson & Johnson, the offer is not good enough.
Plaintiff Malinowski says she was notified of the data breach on September 15 in a letter. She said the security incident made her “uncomfortable because her personal information and all of her heath information is out there.”
Malinowski has proposed a class action involving thousands of patients impacted by the breach.
Other big pharma such as Merck, Pfizer, Roche and AstraZeneca have faced security breaches in the recent past.
Eisai, co-developer of recently approved Alzheimer’s drug Leqembi, fell victim to a ransomware attack in June, due to which several of the company’s systems had to be taken offline.
Regulators are also not immune to cyberattacks. In December 2020, the European Medicines Agency (EMA) announced that it had been subject to one in which documents relating to the Pfizer/BioNTech COVID vaccine had been accessed illegally.
According to IBM’s 2020 data breach report, data breaches in the pharma industry cost an average of $5 million to remediate. The healthcare industry topped the list of average total cost of a cyber attack, with a data breach in healthcare costing just over $7 million.
According to the report, on average, roughly half of all data breaches across some of the biggest industries including healthcare, pharma, technology, transportation, retail, financial etc. are caused by malicious attacks and the other half by system glitches and human error.
And lawsuits involving data breaches have resulted in large payouts. In healthcare, Scripps Health agreed to pay around $3.6 million to 1.2 million patients in 2022 over a breach in 2021.