IBM, Johnson & Johnson Health Care Systems Facing Lawsuit Over 2023 Janssen CarePath Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit aims to hold IBM and Johnson & Johnson Health Care Systems responsible for a “massive and preventable” 2023 data breach that compromised the sensitive information of thousands of people who were enrolled in Janssen CarePath services. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

The 47-page case says that although the companies claim to have discovered the cyberattack as early as August 2, they did not inform victims until September 15, leaving consumers “wholly unaware” that their data had been stolen until they received letters from IBM and Johnson & Johnson Health Care Systems. 

The breach reportedly impacted consumers who were enrolled in Janssen CarePath, a support program owned by Johnson & Johnson Health Care Systems for patients taking Janssen medications, prior to July 2, 2023. According to the suit, consumers’ names, contact information, and medication and medical condition details were compromised in the IBM and Johnson & Johnson Health Care Systems data breach. 

The filing alleges the companies “disregarded the rights” of consumers by failing to ensure that their network servers were adequately protected. The suit notes that the information in the care of the defendants was subject to Health Insurance Portability and Accountability Act (HIPAA) regulations, under which companies like IBM and Johnson & Johnson Health Care Systems are required to have in place appropriate safeguards to protect sensitive medical and personal data. 

A notice on Janssen CarePath’s website states that IBM manages the application and third-party database that supports the program. Per the notice, Janssen became aware of a “technical method” by which someone could access its database without authorization and promptly notified IBM, who quickly “remediated the issue.” Although IBM’s subsequent investigation identified that there was unauthorized access to the database, the scope of that access was as-yet unknown, leading IBM to begin to notify data breach victims, Janssen relayed. 

The lawsuit contends that the defendants’ data breach notice “lacked sufficient information” on how the cyberattack occurred, what safeguards have been added in its wake, and where the compromised information exists today. 

According to the suit, consumers “remain in the dark” with regard to what data was stolen and the particular kind of malware used by the perpetrators. As such, data breach victims are “left to speculate” as to where their sensitive data ended up, who has used it, and for what purposes, the case emphasizes. 

“Representative Plaintiff’s and Class Members’ [personal information] may end up for sale on the dark web or fall into the hands of companies that will use the detailed [personal information] for targeted marketing without Representative Plaintiff’s and/or Class Members’ approval. Either way, unauthorized individuals can now easily access Representative Plaintiff’s and Class Members’ [personal information].” 

The suit argues that the one-year subscription to Equifax monitoring services offered by the defendants is inadequate as victims will “likely face many years of identity theft” due to the data breach. Moreover, this offer places the burden on consumers, rather than on the companies, to watch for and report suspicious activity. 

“Rather than automatically enrolling Representative Plaintiff and Class Members in credit monitoring services upon discovery of the Data Breach, Defendants merely sent instructions to Representative Plaintiff and Class Members about actions they could affirmatively take to protect themselves,” the filing reads. 

The suit looks to cover all individuals in the United States whose personal and/or health information was exposed to unauthorized third parties as a result of the data breach discovered by IBM and Johnson & Johnson Health Care systems on September 15, 2023. 

Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.