Among the wealth of data leaked in this week's Sony Pictures hack are hundreds of pieces of sensitive medical information about the studio's employees, including complaints about unpaid insurance claims. One of the leaked documents is a spreadsheet listing the most expensive medical procedures undertaken by the company's employees in 2012.
The list of costly medical procedures doesn't include employees' names, only their birth dates. But in other documents, Social Security numbers appear alongside names and home phone numbers, making them perfect fodder for would-be identity thieves. One document named "UNUM Audit" lists the Social Security numbers, policy numbers, names, birth dates and addresses for more than 100 people, some of them high-ranking employees.
Another titled "Aetna-FSA-Employee-Contribution Issue," which details apparent errors in contributions to Aetna-associated flexible spending accounts from 2013, has the names and Social Security numbers of about 270 people. Several documents detailing overpayments made by Aetna also contain insurance-claims numbers and member identification numbers, along with the names of employees.
“People are in a frenzy, especially people in HR and finance,” a junior studio worker told Fusion yesterday. “They’re all freaked out, and nobody knows what to do.”
It's unclear whether Sony Pictures has reached out to the affected employees about the leak of their information. We've reached out to the studio for comment.
The file with the highest-cost patients on Sony Pictures' health plan contains a laundry list of expensive chronic conditions: cancer, heart disorders and end-stage renal disease.
Though the names of the patients were spared, the list did include "member keys" and birth dates, which could make it feasible for someone with access to these documents to figure out who's being treated for what.
Detailed health information is tempting for hucksters and thieves, because it can be extremely valuable for such things as insurance fraud. The street value for a medical record, for example, is much higher than credit card information. Loss of devices by hospital employees and cyber-vulnerabilities of medical devices have often been cited as security loopholes through which hackers can access people's medical information. The Sony hack, however, makes it clear that non-healthcare-related employer networks can also be a means of getting this type of information.
So what happens when an employer fails to secure employee's medical information? It's tricky.
HIPAA – the federal Health Insurance Portability and Accountability Act, which Congress passed in 1996 to protect medical information – may not apply in Sony Pictures' case, because "employers are not providers of health care, or health insurers to their employees, which is a requirement for HIPAA to apply," wrote Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, in an e-mail.
Plus, HIPAA isn't exactly a privacy law. It's more of a data-access mandate.
"HIPAA coverage is triggered by who has the data," Deven McGraw, a health-data privacy expert, told me earlier this year. "The same piece of data may fall in and out [of HIPAA coverage] multiple times in its lifecycle."
This doesn't mean, however, that Sony is off the hook completely. "Sony has bigger problems here. HIPAA is a tiny tail on the dog," said Kirk Nahra, a partner at Wiley Rein who specializes in healthcare law. "They will have to go through a risk analysis to determine whether they do or don’t have to notify individuals."
It's possible that Sony Pictures could be fined later for not safeguarding their employees' medical information more effectively – say, by encrypting or password-protecting all files that contained sensitive data. The U.S. Department of Health and Human Services could, in theory, step in, says Nahra. But "having a breach doesn’t necessarily lead to penalties. Security breaches happen," he said. "It's highly unlikely [HHS will penalize Sony Pictures]. HHS doesn’t fine people very often."
Tien suggested that Sony Pictures employees "demand that the employer take security seriously, and with brains."
Daniela Hernandez is a senior writer at Fusion. She likes science, robots, pugs, and coffee.
Kashmir Hill is the editor of Fusion's Real Future. She has hacked a stranger's smart home, lived on Bitcoin & paid a surprise visit to the NSA's Utah datacenter, all while trying to prove privacy isn't dead yet. Contact her at firstname.lastname@example.org. PGP: D934E5E9.