Notice of Data Incident


This Notice applies to patients who were enrolled in services prior to July 2, 2023. This Notice does not apply to patients enrolled on or after this date nor does it apply to Janssen’s Pulmonary Hypertension patients.


International Business Machines Corporation (“IBM”) is a service provider to Johnson & Johnson Health Care Systems, Inc. (“Janssen”). IBM manages the application and the third-party database that supports Janssen CarePath. This notice is to inform you of a recent incident involving unauthorized access to personal information stored in Janssen CarePath.

What happened

Janssen recently became aware of a technical method by which unauthorized access to the database could be obtained. Janssen then immediately notified IBM and, working with the database provider, IBM promptly remediated the issue. IBM also undertook an investigation to assess whether there had been unauthorized access to the database. While IBM’s investigation identified, on August 2, 2023, that there was unauthorized access to personal information in the database, the investigation was unable to determine the scope of that access. As a result, IBM has begun notifying Janssen’s CarePath customers and users whose information was contained in the Janssen CarePath database out of an abundance of caution.

What information was involved

The personal information involved in this incident may have included individuals’ names and one or more of the following: contact information, date of birth, health insurance information, and information about medications and associated conditions that were provided to the Janssen CarePath application.

Social Security numbers and financial account information were not contained in the database or affected.

What are we doing

After being informed of the issue by Janssen, IBM and the database provider promptly identified and implemented steps that disabled the technical method at issue. IBM also worked with the database provider to augment security controls to reduce the chance of a similar event occurring in the future.

While IBM has no indication that any of the involved information has been misused, IBM is offering complimentary one-year credit monitoring service to individuals whose information may have been involved.

What you can do

Janssen CarePath users are encouraged to remain vigilant by regularly reviewing their account statements and explanations of benefits from their health insurer or healthcare providers with respect to any unauthorized activity, and to promptly report any suspicious activity.

Individuals can arrange for credit monitoring by following the instructions on the notification letters that they receive or by calling the number below.

For more information

IBM has established a toll-free center for questions about this incident. You can reach the call center with any questions or concerns Monday through Friday from 9:00 a.m. to 9:00 p.m. ET (excluding major U.S. holidays).

  • For individual users: (888) 604-6584
  • For healthcare providers: (877) 792-3593

Janssen and IBM take information security seriously and are committed to protecting against evolving cyber threats.