Cyber Incident Victim: Johnson & Johnson Health Care Systems

On or around July 2nd, 2023, Johnson & Johnson Health Care Systems Inc., operating as Janssen, became aware of a security issue concerning its CarePath application. The CarePath application is a service designed to help patients gain access to Janssen medications; it offers discounts and cost-saving advice on eligible prescriptions, provides guidance on insurance coverage, and serves drug refiling and administering alerts. The application and its supporting database are managed by IBM, which acts as a technology service provider for Janssen. The specific nature of the security issue was the discovery of a previously undocumented method that could potentially give unauthorized users access to the CarePath database. Upon becoming aware of this security gap, Janssen promptly reported the issue to IBM for investigation and remediation.

IBM responded to the report from Janssen by immediately fixing the identified security gap to prevent any further potential unauthorized access. Following the mitigation of the vulnerability, IBM launched an internal investigation to assess whether the flaw had been exploited prior to the fix. This investigation was conducted to determine if any unauthorized access or data exfiltration had occurred. The investigation was concluded on August 2nd, 2023, and its findings confirmed that unauthorized users had indeed accessed the CarePath database. The period during which this unauthorized access occurred was not explicitly detailed, but the notice indicated that the exposure impacts CarePath users who enrolled on Janssen's online services before July 2nd, 2023. This date may indicate when the breach occurred or may suggest that the breached database was a backup containing information up to that point.

The investigation determined that the unauthorized access resulted in the compromise of specific categories of user data stored within the CarePath database. The information accessed included full names, contact information, and dates of birth of the affected individuals. More significantly, the breached data contained sensitive health-related information, including details about an individual's health insurance, the specific medications they were prescribed or using, and information concerning their medical conditions. This combination of personal and highly sensitive medical data creates a significant risk for the impacted individuals, as it could be used to support highly effective phishing, scamming, and social engineering attacks. Furthermore, given the substantial value of medical data on illicit markets, there is a high probability that the stolen information could be sold for a premium on darknet forums.

It is important to note what types of data were not involved in this incident. According to the information provided, social security numbers and financial account data were not kept in the particular database that was breached. Therefore, these critical pieces of financial and identification information were not exposed as a result of this event. This limitation in the scope of the data exposure provides some mitigation against certain forms of identity theft and financial fraud. Additionally, Janssen has clarified that this particular security incident did not impact its population of Pulmonary Hypertension patients, indicating that the breach was confined to the CarePath system and not other separate patient support programs.

Following the conclusion of the investigation, IBM published its own announcement regarding the incident. In its statement, IBM indicated that there were no indications the stolen data had been misused at the time of the announcement. Despite this lack of evidence regarding misuse, both IBM and Janssen are urging affected CarePath users to remain vigilant. The recommendations include closely monitoring account statements and explanations of benefits from health insurance providers for any signs of suspicious or fraudulent activity. As a protective measure, IBM is offering a one-year credit monitoring service free of charge to all individuals impacted by the breach to help protect them from potential fraud. Both companies have also established dedicated toll-free numbers where providers and users can call to address their questions about the incident or receive assistance with enrolling in the offered credit monitoring services.

This incident represents a third-party data breach, where the compromise occurred within the systems of a vendor, IBM, rather than within the direct infrastructure of Johnson & Johnson Health Care Systems Inc. / Janssen. The breach at IBM is reported to be a separate incident, unrelated to the widespread MOVEit file transfer attacks that also impacted IBM and hundreds of other organizations earlier in the same year. When questioned by journalists, an IBM spokesperson clarified that this CarePath breach was caused by different threat actors and was not connected to the exploitation of the zero-day vulnerability in the MOVEit Transfer software. This distinction is crucial for understanding the threat landscape and the specific attack vector that led to this data exposure.

The scope of the impact, in terms of the number of individuals affected, was not provided with a precise figure in the available information. However, IBM stated that they are notifying all CarePath users, suggesting that the entire user base of the application enrolled before July 2nd, 2023, was potentially impacted. This broad notification approach indicates a significant number of affected patients and healthcare consumers. The incident also highlights the ongoing challenges and risks associated with third-party vendor relationships in the healthcare sector, where service providers managing sensitive data can become a single point of failure. The compromise of such a vendor can have cascading effects, directly impacting the customers and patients of the primary company, in this case, Janssen. The prompt action taken by Janssen in reporting the issue and by IBM in remediating the vulnerability and investigating the breach demonstrates a coordinated response to a serious cybersecurity event. The focus now remains on mitigating the potential harm to the affected individuals through vigilance and the offered protective services.