HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Sony Pictures Confirms Breach Potentially Exposed HIPAA Data

Sony Pictures has made an announcement confirming the protected health information of some employees could have been exposed in this month’s security breach. Employees were sent a breach notification letter earlier this week containing details of the data the company believes was exposed.

While the written notification letters have only just been mailed, an E-mail was sent to all affected employees earlier this month alerting them to the security breach and stating that computer records had been compromised. In that E-mail Sony Pictures suggested that all affected persons sign up for credit monitoring services with AllClearID; the company being used by Sony Pictures to help mitigate any damage caused.

The notification letter reiterated the need to sign up for credit monitoring services and provided additional details about the breach, including more information on the scale of the data exposure. Earlier this month some computers at Sony Pictures were hacked in what appears to be a targeted attempt to steal company and employee data. Some of the data has already been posted on internet portals and darknet sites.

The correspondence referred to the incident as a “brazen cyber attack” which was orchestrated and carried out by a group of hackers operating under the acronym GOP – Guardians of the Peace. The hackers threatened to leak data over the internet and a considerable amount of company and employee data has already been exposed. To date more than 200GB of sensitive material has been posted online; material that includes movies yet to be released and company data on marketing strategies and sales. The breach notification letter confirms there was also a HIPAA violation, and informs the victims that most of the company´s human resources files were stolen in the attack.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

According to CSO, the private and confidential human resources records of over 30,000 individuals have already been leaked over the internet. This information includes criminal record checks, salary details, job specifications and staff appraisals. The employees affected by the HIPAA breach have been warned that they may become victims of phishing attacks. Sony Pictures also lists the shocking extent of the data theft:

“Although [Sony Pictures Entertainment] is in the process of investigating the scope of the cyber attack, SPE believes that the following types of personally identifiable information that you provided to SPE may have been obtained by unauthorized individuals: (i) name, (ii) address, (iii) Social Security Number, driver’s license number, passport number, and/or other government identifier, (iv) bank account information, (v) credit card information for corporate travel and expense, (vi) username and passwords, (vii) compensation and (viii) other employment related information.

“In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, Social Security Number, claims, appeals information you submitted to SPE (including diagnosis and disability code), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to us outside of SPE health plans.”

In light of the attacks, Sony Pictures has taken decisive action and shut down all affected servers with the staff now working on a limited network. The incident is being investigated internally as well as law enforcement officers but no announcement has yet been made about the expected time scale to resolve the matter.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.