IBM has reported a healthcare data breach affecting 631,000 individuals to the U.S. Department of Health and Human Services (HHS). The company now faces a HIPAA investigation by the Office for Civil Rights (OCR) and two federal class action lawsuits.
IBM is a HIPAA Business Associate
IBM manages the application and the third-party database that supports a Johnson & Johnson patient resource tool (Johnson & Johnson) that guides patients prescribed Johnson & Johnson medications by their healthcare providers. As a third-party vendor with protected health information (PHI) access, IBM is a HIPAA business associate of the covered entity Johnson & Johnson.
The Breach
Johnson & Johnson published a breach notice on its website in early September. The notice explained that a “technical method” allowed someone to gain unauthorized access to an IBM database on August 2, 2023. IBM apparently remediated the issue promptly and began investigating. The extent of the breach was unknown at that time.
Apparently as the investigation continued, IBM was able to identify the specific files affected by the hack, resulting in the September 29, 2023 breach report to HHS.
The PHI disclosed included individuals’ names, contact information, birthdates, health insurance information, and information about medications and associated conditions that were provided to Johnson & Johnson.
Lawsuits Claim Negligence
Two proposed class action lawsuits have already been filed against IBM and Johnson & Johnson in the U.S. District Court for the Southern District of New York. The lawsuits make similar claims and the judge overseeing them has ordered they be consolidated. Both lawsuits allege that the companies were negligent in safeguarding individuals’ sensitive health information and personal data from unauthorized access.
The lawsuits claim that due to this negligence, plaintiffs’ and class members’ personal information was compromised, exposing them to an unidentified and malicious third party. They also allege that this disclosure may lead to future fraudulent activities targeting the plaintiffs and class members.
In addition to seeking financial damages, the lawsuits ask for that IBM and Johnson & Johnson be required to enhance their data security practices.
Johnson & Johnson is Also Under Scrutiny
Even though the breach occurred at IBM, Johnson & Johnson is not off the hook. In addition to defending the lawsuits, Johnson & Johnson will face scrutiny from OCR in the HIPAA investigations.
Covered entities like Johnson & Johnson are required to exercise due diligence with their business associates. Does the business associate conduct a HIPAA risk analysis, have policies and strong security practices? Providers need to have business associate agreements in place.
Pay Attention to Business Associates
Business associates and third-party vendors have played an outsized role in some of the largest health data breaches of 2023 thus far. These range from the IBM/Johnson & Johnson breach to the massive hacks involving popular file transfer software products like Progress Software’s MOVEit and Fortra’s GoAnywhere.
According to the OCR breach reporting website, as of October 24, 2023, there have been 488 large health data breaches, impacting a staggering 87 million individuals. Surprisingly, around 40% of these breaches, affecting nearly 54 million, are attributed to business associates entrusted with handling PHI.
But Don’t Make a Business Associate Your Agent
Managing business associates requires balance. You want to make sure they have their own HIPAA policies and that they follow HIPAA, but if you exert too much control over their actions, you may inadvertently make them your “agent”. If that happens, you then become directly responsible for their actions, and liable for their negligence.
Stay informed about managing business associates with The HIPAA E-Tool®.
