(Bloomberg) — Documents stolen from Sony Corp. by hackers include detailed and identifiable health information on more than three dozen employees, their children or spouses — a sign of how much information employers have on their workers and how easily it can become public.
One memo by a human resources executive, addressed to the company’s benefits committee, disclosed details on an employee’s child with special needs, including the diagnosis and the type of treatment the child was receiving. The memo discussed the employee’s appeal of thousands of dollars in medical claims denied by the insurance company.
See also: Remember… HIPAA privacy?
Another document leaked in the hack is a spreadsheet from a human resources folder on Sony’s servers that includes the birth dates, gender, health condition and medical costs for 34 Sony employees, their spouses and children who had very high medical bills. The conditions listed include premature births, cancer, kidney failure and alcoholic liver cirrhosis. The document doesn’t include employees’ names.
A Sony spokesperson didn’t respond to a request for comment.
The health documents are part of a devastating computer attack on the company’s Culver City, Calif,-based unit Sony Pictures that sent thousands of files circling the Web between various file-sharing sites used by hackers. The information revealed has included the salaries of thousands of employees and e-mails taking shots at President Barack Obama and at Hollywood stars like Angelina Jolie. The release of the health information could be some of the most damaging material, said Deborah Peel, director of Patient Privacy Rights, a non-profit group.
The Health Insurance Portability and Accountability Act (HIPAA) privacy provisions impose tough data security and privacy rules on employers and other organizations with access to individuals’ health information.
“This stuff will haunt all those people the rest of their lives. Once it’s up on the Internet it is up in perpetuity,” Peel said.
“This is a thousand times worse than that other stuff,” she said, referring to salary information and personal e-mails. “Health information is the most sensitive information about you.”
Hackers who call themselves Guardians of Peace have been releasing batches of documents every few days since the breach garnered global headlines Nov. 25. Sony is conducting an internal probe that has linked the attack to hackers known as DarkSeoul, according to two people familiar with the company’s investigation. Media reports have tied the group to North Korea. Tokyo-based Sony hasn’t made that association publicly.
One e-mail between Sony’s insurer, Aetna Inc., and its human resources department over a denied claim contains the name of an employee and the type of surgery the worker’s spouse had. Another between health insurer Anthem Inc. and Sony’s human resources department includes the name of an employee and an unresolved claim for speech therapy sessions.
In the memo discussing denied claims for the employee’s special-needs child, Sony’s human resources department went into great detail on the type of treatment the child was getting, how the child was faring, the location of the facility and conversations the insurer had with the child’s care providers. Peel said that level of detail shouldn’t have been shared, especially the child’s name, which isn’t relevant to making a determination about the claim.
“This is the absolute worst nightmare for this employee and their family,” said Peel. “Why they are doing this with the name and location and all the identifiable information is beyond me.”
Carol Olsby, who has worked in human resources at large technology companies, said it wasn’t uncommon at her former employers for workers’ names and medical conditions to be shared in e-mails or for the companies to have a file of the most expensive medical claims.
Employers would sometimes get a list of the costliest claims from an insurer to justify a rate increase, she said. For example, if a company had employees who’d developed costly chronic conditions, like a type of cancer or kidney failure, or had a premature baby, the insurer could argue that rates should rise.
Olsby, who now runs consulting firm Carol Olsby & Associates Inc., also said it wasn’t uncommon for employees to e-mail human resources with medical information related to a denied claim. In all cases, she said the companies would try to keep the information on a “need-to-know basis.”