Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Medical Data breach. Show all posts

Johnson & Johnson Reveals: IBM Data Breach Compromised Customer Data


Johnson & Johnson Health Care Systems (Janssen) recently informed their CarePath customers of a third-party data breach involving IBM, that has resulted in the compromise of their sensitive information.

IBM is a technology service provider for Janssen. In particular, it oversees the administration of the CarePath application and database.

CarePath is a software program created to assist patients in obtaining Janssen medications, provide discounts and cost-saving tips on prescriptions, explain insurance eligibility, and provide drug refiling and administration reminders.

The pharmaceutical company learned about an undocumented technique that could provide unauthorized individuals access to the CarePath database, according to the notification on Janssen's website.

Later, the company informed the issue to IBM that swiftly took action in patching the security gap and conducted an internal investigation to see whether the bug had been exploited by anyone.

The investigation wrapped up in August 2nd, 2023, and revealed that unauthorized persons had access to the following CarePath user details, that are as follows: 

  • Full name 
  • Contact information 
  • Date of birth 
  • Health insurance information 
  • Medication information 
  • Medical condition information 

Users of CarePath who signed up for Janssen's online services before July 2nd, 2023, are affected by the exposure, which may be a sign that the breach happened on that date or that the compromised database was a backup.

Since social security numbers and financial account data was not involved in the database that was breached, critical details have not been revealed.

The company further revealed that the breach did not affect Janssen's Pulmonary Hypertension patients.

Given the significance of medical data, there is a strong likelihood that the leaked data will be sold for a premium on darknet markets. The compromised data could support very effective phishing, scamming, and social engineering attacks.

Also, IBM published an announcement in regards to the incident claiming that there are no signs that indicate that the stolen data has been exploited. However, it advises Janssen CarePath users to keep a sharp eye out for any unusual activity on their account statements./ The tech giant is now providing affected people with a free one-year credit monitoring to help shield them against fraud.

Both announcements include toll-free phone numbers that customers and providers can use to ask inquiries about the incident or get assistance signing up for credit monitoring services.

IBM is one of the hundreds of companies that were compromised by Clop ransomware earlier this year, when the notorious threat actors employed a zero-day vulnerability on the MOVEit Transfer software used by various organizations globally.

However, an IBM spokesperson on being asked if the recent attacks are related to the MOVEit attack confirmed that the two are in fact separate incidents caused by different threat actors.  

How Much Will Each Stolen Client SSN Cost You Now That You Have Been Pwned?


Following the theft from its systems of more than 447,000 patient names, Social Security numbers, and private medical information, a Florida healthcare organization has resolved a class-action lawsuit. 

Orlando Family physicians, which has 10 clinics in central Florida, has agreed to pay affected patients who submit a claim by July 1 a reimbursement and provide them two years of free credit monitoring. Patients may earn up to $225 or, for those whose SSNs were stolen, up to $7,500 depending on what kind of private information the thieves obtained. 

However, as part of the compensation, the physician organization denies any responsibility for the data heist. 

Court records reveal that the crime took place in April 2021 after thieves used a phishing scam to access the email accounts of four employees. As per Orlando Family Physicians, it “immediately” took the necessary steps, containing the intrusion and hires a “leading” security shop to determine the scope of intrusion. 

The health group, a few months later, published a notice on its website and sent letter to victims whose private information was compromised. The data apparently includes names, demographic information, health information, including diagnosis, medical record numbers, patient account numbers, passport numbers, providers and prescriptions; health insurance details, including legacy Medicare beneficiary numbers generated from the person's Social Security number or other subscriber identification number. 

However, according to the physician group “, the available forensic evidence indicates that the unauthorized person’s purpose was to commit financial fraud against OFP and not to obtain personal information about the affected individuals.” 

Moreover, OFP reported to the US Department of Health and Human Services, saying it potentially affected 447,426 individuals. 

Is Your PII Worth $250, or $75k? 

After the attorneys take their cut, of course, those hundreds of thousands of people whose personal information most certainly ended up for sale on a hacking forum are now eligible for a compensation. The settlement's overall sum is still undisclosed. 

There are two groups within the class that stand to gain monetarily. The first group, individuals who incurred out-of-pocket costs as a result of the theft, may file a claim for up to $225 in duly substantiated costs. This covers any expenses incurred while freezing or unfreezing credit reports, paying for credit monitoring services, or contacting banks about the occurrence, including notary, fax, mailing, copying, mileage, and long-distance phone costs. 

The victims can also file a claim for a time limit of up to three hours, compromised due to the security breach at the rate of $25 per hour. 

The second category consists of victims whose Social Security numbers were taken. These people are eligible to file claims for up to $7,500 for confirmed instances of identity theft, fabricated tax returns, or other forms of fraud that can be linked back to the initial hack. They as well can claim up to eight hours of lost time at $25 per hour. 

The settlement comes as ransomware gangs and other cybercriminals intensify their attacks on hospitals and other healthcare organizations, and the lawyers have responded by bringing numerous class-action cases. 

The aforementioned class-action lawsuit is proposed following an intrusion in February, wherein the BlackCat malware infiltrated one of the Lehigh Valley Health Network physician’s networks, stole sensitive health records belonging to more than 75,000 people, including pictures of patients receiving radiation oncology treatment, and then demanded a ransom to decrypt the files and stop it from posting the records online.