HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Sony Pictures Hack Exposes Sensitive Employee Health Information

This week saw Sony Pictures attacked by a group of hackers calling themselves “Guardians of Peace”. The hackers gained access to a number of computers of Sony Pictures employees and obtained files containing highly sensitive information. The group then proceeded to publish some of the stolen documents and spreadsheets online as evidence of their successful hack. Included in the posts was what appeared to be a list of passwords to three machines the hackers claimed to control. The group is claiming to have gained access to hundreds of Sony Pictures computers

According to Fusion.net, the files obtained from the computers include a spreadsheet containing the names, birth dates and social security numbers of 3,803 employees of Sony Pictures. The list also includes the details of the company’s top executives, with payroll data also available. Details of employee pay raises and other financial information is in the unprotected data. One document details the staff that had contracts terminated in 2014, with the reasons why their employment was terminated.

The data is not limited to financial information and social security numbers; many documents contain ePHI and sensitive medical information. Spreadsheets detailing unpaid insurance claims and employee complaints have also been obtained by the hackers, and a list of employees who had undertaken expensive medical procedures in 2012.

The medical information contained in the spreadsheets can be sold on by the thieves. The data can be used to make fraudulent insurance claims, obtain prescriptions and commit medical fraud. While the healthcare industry is particularly vulnerable to attacks by cyber criminals after their lucrative ePHI data, non-healthcare entities can also be affected. While Sony Pictures may not be a HIPAA-covered entity under normal circumstances, when its computer systems were breached and ePHI was exposed, HIPAA came into effect.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Under the Health Insurance Portability and Accountability Act, (1996), providers of healthcare or health insurance are required to adhere to regulations which enforce standards of data security to protect health information of patients. Sony Pictures does not fall under HIPAA regulations as it provides neither, so HIPAA would not apply under normal circumstances.

However, a HIPAA breach occurs when ePHI data is accessed by an unauthorized individual, and since this has been the case, legislation applies as it exists to protect the data. The Department of Health and Human Services could therefore intervene and conduct an investigation, potentially fining Sony Pictures for failing to take sufficient measures to safeguard personal health information of its employees.

Sony Pictures is currently trying to assess the damage and take appropriate action to shore up defenses and mitigate the damage as far as is possible; however files are still being posted online and the hackers are still at large.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.