Personal Health Data Made Public in Cyberattack on Sony Pictures
December 15, 2014 in News
Documents released in a cyberattack on Sony Pictures include the indefinable health information of more than three dozen company employees, their spouses or their children, Bloomberg reports.
The breach is part of an ongoing hacking effort by a group called Guardians of Peace, which has been identified by Sony as linked to the DarkSeoul hacking group. The hackers, which have been tied to North Korea in media reports, have released batches of documents since Nov. 25.
Details of Data Breach
The documents that have been made public as part of the breach at Sony include:
- An email between the company’s human resource department and Aetna, the company’s insurer, about a denied claim that contained the employee and the worker’s spouse’s type of surgery;
- An email between the company’s human resource department and health insurer Anthem about an unresolved speech therapy session claim that included the employee’s name; and
- A memo to Sony Pictures’ benefits committee by a human resource executive on an insurer’s claim denial of an employee’s child, which included details on the child’s diagnosis, name, treatment and treatment facility location.
The breach also included a spreadsheet on 34 employees, their spouses and their children who had particularly costly medical bills, which was obtained from a human resources folder located on the company’s servers. The spreadsheet did not include employee names but listed other identifiable information, including:
- Dates of birth;
- Health conditions; and
- Heath costs.
Patient Privacy Rights Director Deborah Peel said that the breach of the health data was “a thousand times worse” than the other Sony documents released by the hackers.
Peel added that Sony should not have shared personal data that was not relevant to making claim determinations, such as the name and treatment facility location for a child (Pettypiece, Bloomberg, 12/12).