Current Edition

J&J’s patient assistance program suffers data breach, IBM says

A technical flaw has resulted in “unauthorized access” to personal information at Johnson & Johnson’s Janssen CarePath patient assistance program, IBM reported on Wednesday.

After an internal investigation, IBM was unable to determine how many accounts were affected, or the exact information that may have been compromised. The company is reaching out to all Janssen CarePath customers “out of an abundance of caution,” the tech giant said in a statement.

The Janssen program helped more than 1.16 million U.S. patients access medications in 2022 alone, according to the drugmaker’s website. The free initiative facilitates access by helping patients navigate health insurance, plus provides information to get patients started on and stay on treatment. The program also provides options to manage out-of-pocket costs.

By IBM’s account of events, J&J first became aware of a technical loophole in the Janssen CarePath system. Once informed, IBM, which manages the service, “promptly remediated the issue.”

An investigation by IBM concluded that there was “unauthorized access to personal information in the database” on August 2.

Some sensitive personal information may have been exposed. Such data might include individuals’ names and their contact information, date of birth, health insurance information, plus information about medications and associated conditions, according to IBM. Social security numbers and bank accounts were not included in the database.

IBM is offering patients enrolled in Janssen CarePath a one-year credit monitoring service, although any data leak on personal information would be permanent.

In response to a Fierce Pharma request for additional details, a Janssen spokesperson said the J&J subsidiary has no further comment. A media aide to IBM said the company does not expect to have information beyond Wednesday’s announcement. It’s not immediately clear if other drugmakers also use IBM to manage their patient assistance programs, or if similar incidents have happened.

This is not the first time that private patient data hosted by a biopharma company has been exposed in recent years. Some records from AstraZeneca’s internal server were made available on the developer platform GitHub in 2021, leaving some patient data, including those in the AZ&Me drug savings program, open for public access for more than a year, TechCrunch reported at the time.

Biopharma companies are also regular targets in cyberattacks. The Japanese pharma Eisai suffered a ransomware attack in June. Sun Pharma in March disclosed an IT security breach, which forced the Indian company to isolate the affected systems.