IBM, Johnson & Johnson Hit With Second Health Data Breach Suit

IBM Corp. and Johnson & Johnson Health Care Systems Inc. face a Florida man’s proposed class action over an August data breach that potentially exposed the personal health information of more than a half-million people.

Plaintiff Jarvis Bryant Jenkins alleged the companies were negligent regarding the safety of his sensitive health records, shared with J&J, that that were exposed as result of a data breach at IBM, according to the complaint filed Wednesday in the US District Court for the Southern District of New York.

The data breach affected J&J’s Janssen CarePath system, a patient support program that offers users assistance and information regarding their prescription medications and holds their data. J&J used IBM as a service provider to manage the CarePath application and the third-party database that supports it, the complaint said. A separate class action regarding the breach was filed in the same court in September.

Jenkins’ medication data as well as the personal health information and personally identifiable information “belonging to at least one million” J&J customers was exposed in the breach, according to the complaint. IBM has reported to the Department of Health and Human Services that at least 630,755 individuals were affected, it said.

The breach was “a direct result of J&J and IBM’s failure to implement adequate and reasonable cybersecurity safeguards necessary to protect the PHI and PII of Mr. Jenkins and the class,” the filing said.

The complaint skewers the companies for waiting more than a month to notify victims of the unauthorized access. Jenkins was notified of the Aug. 2 breach on Sept. 20, it said.

The new lawsuit alleges that the exposure of sensitive health data puts the plaintiff at life-long risk of identity fraud and cybercrime. “The cat cannot be put back in the bag: Mr. Jenkins’s PHI and PII, and the PHI and PII of all class members, will forever be vulnerable,” the filing said.

Jenkins alleges that IBM was well aware of the risks of data theft to health-care data, citing its incident response team’s work as well as FBI warnings about cyberattacks against the health-care industry. IBM also faces a class action involving a separate breach related to the Progress Software’s MOVEit file-transfer application.

IBM didn’t immediately respond to a request for comment.

Bathaee Dunne LLP represents Jenkins. Attorneys for IBM and J&J have not yet entered an appearance.

The case is Jenkins v. International Business Machines Corp. et al, S.D.N.Y., No. 7:23-cv-10244, complaint filed 11/21/23.