By Erika Koutroumpa,
This month a lawsuit was filed by an individual, Jarvis Bryant Jerkins in the US District Court for the Southern District of New York, against IBM and Johnson and Johnson. The reason behind this is the August data breach at IBM, which has potentially exposed the personal health information of more than a half-million people. Data leaks in the healthcare sector are a trend that began with the digitalization of patient records, and it shows an increase at a steady rate. Why do they occur and do victims have good reason to be worried?
IBM is a software and hardware developing company, that collaborated with Johnson and Johnson to create the database of the Janssen CarePath system- an application aimed to support and inform users on their prescription medication. The platform holds sensitive biometric data such as individuals’ names, contact information, dates of birth, medications, and associated conditions but no social security numbers and bank accounts, according to IBM. The computer software company has reported to the Department of Health and Human Services that at least 630,755 individuals were affected by the breach, which occurred on 2 August 2023.
In the lawsuit, the Plaintiff alleged that the defendants were negligent with the safety of his sensitive health records, as well as that he was notified of the August 2 breach on September 20, a month later than the breach. Another major point of the case is that according to the victim, the data breach has put him at risk for identity fraud and cybercrime. This is not the first class action lawsuit for IBM, since another claim had been filed for the same CarePath application by another individual, Elaine Malinowski, this September. “companies failed to adequately protect personal identity and health information according to industry standards or the Health Insurance Portability and Accountability Act requirements. Demands for J&J and IBM include compensation, data purging, and enhanced data security measures” .
The health sector is one of those that are most plagued by data breaches, with the Health Insurance Portability and Accountability Act (HIPAA) placing well-defined legally mandated reporting requirements in the industry. This 1996 legislation is a federal law, that creates national standards aiming to protect sensitive patient health information from being revealed without the patient’s consent. The Privacy Rule of the HIPAA also outlines the standards for the patient’s rights to understand and control how their health information is used, aiming to provide high-quality healthcare services while also protecting civilians’ health and wellbeing. According to this legislation, data breaches of over 500 records, regardless of cause, must be reported.
Data breaches may be caused by credential-stealing malware, accidental disclosure, unauthorized internal access, or insiders who disclose sensitive data on purpose. Personal Health Information is of high value on the black market, giving criminals an incentive to penetrate databases containing patient records. Unlike credit card information, an individual’s medical history can never be changed or replaced, hence it can be used to target victims with ruses that exploit a victim’s medical conditions. The information is also enough to be used by the hacker to take a loan on the victim’s behalf, to make fake insurance claims, as well as to purchase and then resell medical equipment or prescriptions. According to a report by the US Department of Health and Human Services, over 15 million health records have been compromised by data breaches.
To conclude, patient data compromisation via data breaches can have dire consequences for the victims, as it can be used for a variety of fraudulent crimes by hackers. Companies should take active measures to ensure the safety of their databases, not only by improving their software but by also educating the personnel on proper data handling. Class action lawsuits by victims can also result in the reputation and the finances of the economy taking a hit. For. For example, Scripps Health in late 2022 agreed to pay nearly 3.6 million USD to nearly 1.2 million patients whose personal information was compromised during a 2021 data breach.
References
- Three US data breaches show varied healthcare exposure risks, Reuters. Available here
- IBM, Johnson & Johnson Hit With Second Health Data Breach Suit, Bloomberg Law. Available here
- Class-Action Lawsuit Targets Johnson & Johnson and IBM after Data Breach, FiercePharma. Available here
- Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Health Professionals Gateway- Centers for Disease Control and Prevention. Available here
- J. Reddy, N. Elsayed, Z. ElSayed, M. Ozer, A Review on Data Breaches in Healthcare Security Systems, International Journal of Computer Science (FCS), Volume 184- No 45, 2023.