Janssen’s CarePath platform breached through IBM breach

IBM, a service provider to Johnson & Johnson Health Care Systems, Inc., has reported a data breach affecting the Janssen CarePath patient support platform, potentially exposing personal information.

Janssen CarePath is a patient support program provided by Janssen Pharmaceuticals, a subsidiary of Johnson & Johnson. The program is designed to assist patients and healthcare professionals in the United States by providing information and support related to Janssen's pharmaceutical products and treatments, information about insurance coverage, out-of-pocket expenses, and prescription details.

IBM, serves as the provider for the Janssen CarePath platform. Theydiscovered the breach on August 2, 2023, and promptly disabled the unauthorized access method.

The breach exposed details such as

• names,
• contact details,
• birthdates,
• health insurance data,
• information on medications and related conditions.

Social security numbers and financial account information were not affected.

The breach could affect in excess of a million individuals, with Janssen reporting that 1.16 million patients use its CarePath program in 2022.

IBM’s description of how the database was accessed as a “technical method” suggests it could been via an unpatched vulnerability or a failure to properly secure the database against external access.

While there is no evidence of misuse, individuals impacted by the breach are offered a complimentary one-year credit monitoring service. Janssen CarePath users are advised to review their account statements and promptly report any suspicious activity.