Plaintiff Jarvis Bryant Jenkins claims that the companies were negligent in protecting his sensitive health records, which were shared with J&J and were exposed as a result of a data breach at IBM. The complaint was filed in the US District Court for the Southern District of New York.
The data breach affected J&J’s Janssen CarePath system, a patient support program that provides users with assistance and information regarding their prescription medications and holds their data. J&J used IBM as a service provider to manage the CarePath application and the third-party database that supports it. Another class action regarding the breach was filed in the same court in September.
Jenkins alleges that his medication data, personal health information, and personally identifiable information, as well as that of at least one million J&J customers, was exposed in the breach. IBM reported to the Department of Health and Human Services that at least 630,755 individuals were affected.
The complaint blames the breach on the failure of J&J and IBM to implement adequate cybersecurity safeguards necessary to protect the information. It also criticizes the companies for waiting over a month to notify victims of the unauthorized access, with Jenkins being notified of the breach on September 20th.
The lawsuit claims that the exposure of sensitive health data puts the plaintiff at lifelong risk of identity fraud and cybercrime. It also accuses IBM of being aware of the risks of data theft to health care data, referencing its incident response team’s work and FBI warnings about cyberattacks against the industry. IBM also faces a class action related to a separate data breach involving the Progress Software’s MOVEit file-transfer application.
IBM has not yet responded to a request for comment, and Jenkins is represented by Bathaee Dunne LLP. Attorneys for IBM and J&J have not entered an appearance.
The case is Jenkins v. International Business Machines Corp. et al, S.D.N.Y., No. 7:23-cv-10244, with the complaint filed on 11/21/23.