Sony Pictures Confirms Breach Potentially Exposed HIPAA Data

Share this article on:

Sony Pictures has made an announcement confirming the protected health information of some employees could have been exposed in this month’s security breach. Employees were sent a breach notification letter earlier this week containing details of the data the company believes was exposed.

While the written notification letters have only just been mailed, an E-mail was sent to all affected employees earlier this month alerting them to the security breach and stating that computer records had been compromised. In that E-mail Sony Pictures suggested that all affected persons sign up for credit monitoring services with AllClearID; the company being used by Sony Pictures to help mitigate any damage caused.

The notification letter reiterated the need to sign up for credit monitoring services and provided additional details about the breach, including more information on the scale of the data exposure. Earlier this month some computers at Sony Pictures were hacked in what appears to be a targeted attempt to steal company and employee data. Some of the data has already been posted on internet portals and darknet sites.

The correspondence referred to the incident as a “brazen cyber attack” which was orchestrated and carried out by a group of hackers operating under the acronym GOP – Guardians of the Peace. The hackers threatened to leak data over the internet and a considerable amount of company and employee data has already been exposed. To date more than 200GB of sensitive material has been posted online; material that includes movies yet to be released and company data on marketing strategies and sales. The breach notification letter confirms there was also a HIPAA violation, and informs the victims that most of the company´s human resources files were stolen in the attack.

According to CSO, the private and confidential human resources records of over 30,000 individuals have already been leaked over the internet. This information includes criminal record checks, salary details, job specifications and staff appraisals. The employees affected by the HIPAA breach have been warned that they may become victims of phishing attacks. Sony Pictures also lists the shocking extent of the data theft:

“Although [Sony Pictures Entertainment] is in the process of investigating the scope of the cyber attack, SPE believes that the following types of personally identifiable information that you provided to SPE may have been obtained by unauthorized individuals: (i) name, (ii) address, (iii) Social Security Number, driver’s license number, passport number, and/or other government identifier, (iv) bank account information, (v) credit card information for corporate travel and expense, (vi) username and passwords, (vii) compensation and (viii) other employment related information.

“In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, Social Security Number, claims, appeals information you submitted to SPE (including diagnosis and disability code), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to us outside of SPE health plans.”

In light of the attacks, Sony Pictures has taken decisive action and shut down all affected servers with the staff now working on a limited network. The incident is being investigated internally as well as law enforcement officers but no announcement has yet been made about the expected time scale to resolve the matter.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On