CarePass Patient Seeks Lifetime Credit Monitoring Following IBM Data Breach
IBM, Johnson & Johnson and Janssen CarePath failed to secure plaintiff Kristal Mize’s personally identifiable information (PII) and protected health information (PHI) when they allowed an unauthorized third party to access their computer systems, alleged a privacy class action (docket 7:23-cv-09725) Friday in U.S. District Court for Southern New York in White Plains.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The defendants were alerted to the computer hack Aug. 2 but didn’t inform victims, including Florida resident Mize of the data breach until a Sept. 15 notice via U.S. mail involving “unauthorized access” to PII within a database used on the Janssen CarePath platform, the complaint said. IBM, a business associate of Johnson & Johnson, manages the application and database that supports the Janssen CarePath platform.
Defendants maintained Mize’s PII and PHI in a “reckless and negligent manner” and in a condition “vulnerable to a cyberattack,” the complaint said. If they had informed Mize about the breach sooner, she “would have been able to take containment steps sooner,” it said. The data breach notice informed Mize “to remain vigilant” by regularly reviewing her account statements and taking steps to protect her PII/PHI and “otherwise mitigate her damages,” it said. CarePath’s notice “placed the onus of monitoring and surveillance on the Plaintiff, and other individuals similarly situated, for the issues Defendant created,” it said.
Mize suffered injury in the form of damages to and diminution in the value of her PHI and PII, which she had entrusted to CarePath, said the complaint. She suffered lost time, annoyance, interference and inconvenience due to the breach and has “anxiety and increased concerns” for the loss of her privacy now that cybercriminals have access “to use and sell” her data, it said. She suffered “imminent and impending injury” from the increased risk of fraud, identity theft and misuse of her PHI and PII by cybercriminals, it said.
The data breach could have been prevented if defendants had implemented Health Insurance Portability and Accountability Act-mandated industry standard policies and procedures for securely disposing of PHI when it was no longer necessary, or if they had honored their obligation to patients, said the complaint.
Medical identity theft can result in inaccuracies in medical records and costly false claims, the complaint said, and it can have “life-threatening consequences.” If a victim’s health information is confused with other records, “it can lead to misdiagnosis or mistreatment," it said.
Mize asserts claims of negligence and negligence per se, breach of implied contract, breach of fiduciary duty and unjust enrichment. She seeks awards of actual and statutory damages, equitable relief, restitution, disgorgement, funds for lifetime credit monitoring and identity theft insurance, pre- and post-judgment interest, attorneys’ fees and legal costs.
A CarePath notice on its website said after Janssen informed them of the breach, IBM and the database provider "promptly identified and implemented steps that disabled the technical method at issue. IBM also worked with the database provider to augment security controls to reduce the chance of a similar event occurring in the future." IBM has no indication of any of the involved information being misused, Janssen said, andisoffering free one-year credit monitoring to individuals whose information may have been involved.