Sony breach airs PHI of dozens of employees
While the release of scandalous celebrity emails made front-page news during Sony Corp’s data breach last month, the leakage of private employee information is far more damaging. Amidst the thousands of documents stolen from the company were the personal health records of more than three dozen employees and their children. Numerous emails and reports related to employees’ health were leaked during the attack, which exposed the personal information (salaries, social security numbers, home addresses, phone numbers, financial data, scans of passports and performance evaluations) of 47,000 current and former Sony employees. Included in the stolen health documents was a spreadsheet from the company’s HR department that listed the birth dates, gender, health condition and medical costs for 34 workers. Another file contained a list of personal details of one employee’s child with special needs, including reports about the child’s diagnosis, treatment and medical claims history.
The data breach that occurred at Sony could happen anywhere. Incidents such as these highlight the importance of HIPAA training and an employer’s handling of employees’ protected health information (PHI). Large, self-funded employers usually have a heightened level of awareness regarding PHI, since they tend to deal with claims and other insurance issues on a daily basis. It’s critical to educate internal staff on how to deal with such sensitive information, because as improper use or disclosure can present the risk of theft and invasion of privacy. PHI can exist in various forms such as printed, oral and electronic materials.Those dealing with confidential data should understand how and when to store, encrypt, share and dispose of such information. Simple actions such as placing a privacy screen on a computer, having no open faxes, and implementing password-protected documents are examples of HIPAA best practices.
The Sony breach reminds us that some of the largest, most technically savvy corporations face serious cyber risks. It also reminds employers to analyze their own internal protocols to make sure that HIPAA breaches don’t occur on any scale, small or large. The ramifications of these breaches involve heavy civil and criminal penalties, and compromise the privacy and protection of innocent individuals whose information is exposed.
If you feel like you need a refresher or more information, we encourage you to consult your WGA team for further details on HIPAA and privacy training.
About the Author
Priya Setty is an Assistant Vice President in the Employee Benefits Group at WGA. Her role involves educating and providing compliance guidance to clients in applicable local, state and federal regulations affecting their insurance programs and employees. She is also a member of WGA’s Health Reform Advisory Committee.