IBM breach at Johnson and Johnson

IBM Breach Affects Johnson & Johnson Patients

IBM has reported a healthcare data breach affecting 631,000 individuals to the U.S. Department of Health and Human Services (HHS). The company now faces a HIPAA investigation by the Office for Civil Rights (OCR) and two federal class action lawsuits.

IBM is a HIPAA Business Associate

IBM manages the application and the third-party database that supports a Johnson & Johnson patient resource tool (Johnson & Johnson) that guides patients prescribed Johnson & Johnson medications by their healthcare providers. As a third-party vendor with protected health information (PHI) access, IBM is a HIPAA business associate of the covered entity Johnson & Johnson.

The Breach

Johnson & Johnson published a breach notice on its website in early September. The notice explained that a “technical method” allowed someone to gain unauthorized access to an IBM database on August 2, 2023. IBM apparently remediated the issue promptly and began investigating. The extent of the breach was unknown at that time.

Apparently as the investigation continued, IBM was able to identify the specific files affected by the hack, resulting in the September 29, 2023 breach report to HHS.

The PHI disclosed included individuals’ names, contact information, birthdates, health insurance information, and information about medications and associated conditions that were provided to Johnson & Johnson.

Lawsuits Claim Negligence

Two proposed class action lawsuits have already been filed against IBM and Johnson & Johnson in the U.S. District Court for the Southern District of New York. The lawsuits make similar claims and the judge overseeing them has ordered they be consolidated. Both lawsuits allege that the companies were negligent in safeguarding individuals’ sensitive health information and personal data from unauthorized access.

The lawsuits claim that due to this negligence, plaintiffs’ and class members’ personal information was compromised, exposing them to an unidentified and malicious third party. They also allege that this disclosure may lead to future fraudulent activities targeting the plaintiffs and class members.

In addition to seeking financial damages, the lawsuits ask for that IBM and Johnson & Johnson be required to enhance their data security practices.

Johnson & Johnson is Also Under Scrutiny

Even though the breach occurred at IBM, Johnson & Johnson is not off the hook. In addition to defending the lawsuits, Johnson & Johnson will face scrutiny from OCR in the HIPAA investigations.

Covered entities like Johnson & Johnson are required to exercise due diligence with their business associates. Does the business associate conduct a HIPAA risk analysis, have policies and strong security practices? Providers need to have business associate agreements in place.

Pay Attention to Business Associates

Business associates and third-party vendors have played an outsized role in some of the largest health data breaches of 2023 thus far. These range from the IBM/Johnson & Johnson breach to the massive hacks involving popular file transfer software products like Progress Software’s MOVEit and Fortra’s GoAnywhere.

According to the OCR breach reporting website, as of October 24, 2023, there have been 488 large health data breaches, impacting a staggering 87 million individuals. Surprisingly, around 40% of these breaches, affecting nearly 54 million, are attributed to business associates entrusted with handling PHI.

But Don’t Make a Business Associate Your Agent

Managing business associates requires balance. You want to make sure they have their own HIPAA policies and that they follow HIPAA, but if you exert too much control over their actions, you may inadvertently make them your “agent”. If that happens, you then become directly responsible for their actions, and liable for their negligence.

Stay informed about managing business associates with The HIPAA E-Tool®.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU