IBM and Johnson & Johnson Health Care Systems Sued Over August 2023 Data Breach
A lawsuit has been filed against IBM Corp. and Johnson & Johnson Health Care Systems Inc. over an August 2023 data breach that exposed the protected health information of thousands of people who used the Janssen CarePath patient assistance program.
IBM is a business associate of Johnson & Johnson and manages the application and database that supports the Janssen CarePath platform. After being notified about a technical issue within the platform that could be exploited to gain access to sensitive data, IBM investigated and discovered there had been unauthorized access on August 2, 2023. The information accessed by an unauthorized third party included names, contact information, dates of birth, health insurance information, medications, and healthcare conditions. Affected individuals were offered complimentary credit monitoring services for 12 months. It is currently unclear how many patients were affected. Last year 1,16 million patients used the Janssen CarePath patient assistance program.
On September 22, 2023, a class action lawsuit was filed in the US District Court for the Southern District of New York on behalf of plaintiff Elaine Malinowski and similarly situated individuals whose information had been exposed. The lawsuit alleges IBM Corp. and Johnson & Johnson Health Care Systems failed to properly secure and safeguard the protected health information of individuals who used the Janssen CarePath patient assistance program, and that those failures violated the HIPAA Privacy and Security Rules. There is no private cause of action in HIPAA, which means individuals cannot sue HIPAA-covered entities or their business associates for violations of the HIPAA Rules. In this case, the lawsuit does not bring claims for direct violations of HIPAA, and instead charges the defendants “with various legal violations merely predicated upon the duties set forth in HIPAA.”
The lawsuit also criticizes the defendants for the length of time it took to issue breach notifications. The breach was detected on August 2, 2023, but notification letters were not mailed until September 15, 2023. It should be noted that notification letters were sent within the 60 days allowed by the HIPAA Breach Notification Rule. The lawsuit criticizes the content of the letters, which made it difficult for the plaintiff and class members to determine where their PHI has ended up, who has used it, and for what nefarious purposes it will likely to be used.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit claims the plaintiff has had to regularly monitor her credit and identity for fraudulent activity since the data breach and claims the breach made her uncomfortable because her personal and health information “is out there.” The lawsuit alleges negligence for failing to properly secure data through methods such as encryption, negligence per se, breach of confidence, breach of implied contract, breach of the implied covenant of good faith and fair dealing, breach of fiduciary duty, and unjust enrichment.
The lawsuit seeks class action certification, a jury trial, awards of actual, nominal, and consequential damages, and equitable relief to prohibit the defendants from engaging in further wrongful conduct. The lawsuit seeks an order from the court requiring the defendants to implement additional safeguards such as encryption of all PHI/PII, to protect data with firewalls, patient data not to be stored in cloud databases, and a threat management program to be implemented and for penetration tests to be conducted regularly to identify vulnerabilities before they can be exploited. The plaintiff and class are represented by Jared R. Cooper, Esq of Robinson Yablon Cooper & Bonfante, LLP, and Daniel Srourian, Esq. of the Srourian Law Firm, P.C