J&J, IBM face class-action lawsuit over patient data breach

As if the talc product liability lawsuits weren’t enough headache for Johnson & Johnson, the New Jersey pharma is now facing another lawsuit from patients, this time about a recent data breach.

J&J and IBM were hit with a proposed class action over a recent data breach at J&J’s patient assistance program, Janssen CarePath, which is managed by IBM.

A Florida resident alleged that the companies failed to properly protect personal identity and health information up to industry standards or as required by the Health Insurance Portability and Accountability Act, according to a complaint filed with the federal court in the Southern District of New York.

Besides a class-action designation and a jury trial, the lawsuit is seeking an award of damages, among several other demands for J&J and IBM to purge existing personal information and improve their data security.

IBM reported the data breach earlier this month. According to the tech giant, J&J became aware of a technical problem in the Janssen CarePath system and alerted IBM. An IBM investigation confirmed “unauthorized access to personal information in the database” on Aug. 2 but wasn’t able to ascertain the scope of the breach.

The J&J patient assistance platform holds such data as individuals’ names and their contact information, dates of birth, medications and associated conditions but not Social Security numbers and bank accounts, according to IBM.

IBM said the issue has been fixed, and patients are being offered one year of credit monitoring. But those measures are clearly not sufficient for the plaintiff. As the complaint pointed out, once personal data are stolen, “fraudulent use of that information and damage to victims may continue for years.”

Elaine Malinowski, the Floridian plaintiff, was notified of the breach via letter on Sept. 15. She is “made uncomfortable because her personal information and all of her health information is out there,” the complaint says.

Malinowski is now proposing a class of “thousands of” patients affected by the breach. For 2022 alone, the Janssen program assisted more than 1.16 million American patients with accessing medications, according to J&J’s website.

Data breach lawsuits have led to large payouts in the past. Last year, T-Mobile inked a $500 million settlement to resolve a class-action lawsuit related to a 2021 data breach that affected 76.6 million people in the U.S. Consumers recently started to receive cash payments as part of Equifax’s $425 million settlement over the credit reporting firm’s 2017 data breach.

In the healthcare world, Scripps Health in late 2022 agreed to pay nearly $3.6 million to nearly 1.2 million patients whose personal information was compromised during a 2021 data breach.