Medical records exposed in massive Sony hack
Sony last week notified employees that their medical data and Social Security numbers were swiped in a cyberattack, a breach that has prompted privacy advocates to reaffirm the need to implement further data safeguards.
Sony Pictures Entertainment on Dec. 8 sent letters to 34 Sony employees and their dependents, notifying them that their protected health information, medical diagnoses, Social Security numbers, credit card information, passwords, compensation, passport numbers and other personally identifiable information had been stolen in a "brazen cyberattack." Medical information on employees included conditions such as alcohol-induced liver cirrhosis, kidney failure and cancer, according to a Bloomberg report.
Sony officials did not respond for comment by publication time.
[See also: Hackers swipe data of 60K in vendor HIPAA breach.]
The attack, which transpired Nov. 24 at Sony's Culver City, Calif.-based office, caused a "significant system disruption," Sony Pictures officials wrote in the notification letter.
U.S. government officials with information on the ongoing investigation into the hacking have said they are "fairly confident" North Korea was responsible for the cyberattack.
The incident has prompted privacy advocates to speak out on the need to implement added safeguards to protect data in the digital age.
Deborah Peel, MD, founder of Patient Privacy Rights, a non-profit health privacy advocacy group, was chief among them to weigh in.
"This stuff will haunt all those people the rest of their lives. Once it's up on the Internet it is up in perpetuity," Peel told Bloomberg. "This is a thousand times worse than that other stuff," she said, referring to salary information and personal e-mails. “Health information is the most sensitive information about you.”
[See also: Breach alert: Hackers swipe data of 4.5M.]
The worse part about this breach, as Peel pointed out in her blog response to the Sony breach? "The greatest damage caused by the lack of control over (personally identifiable information) is the loss of trust – trusted relationships between people, companies and governments are impossible without personal control over PII."
Peel cited what transpired earlier this year with AOL after CEO Tim Armstrong revealed healthcare details about two employees to explain why the company opted to cut certain health benefits.
What this showed? Employers do look at their employees' personal health information, said Peel. "Trusted relationships simply cannot exist if individuals have no right to decide who to let in and who to keep out of pii," she added. "Current U.S. technology systems make it impossible for us to control personal health data, inside or outside of the healthcare system."
There have already been a significant number of hacking-related health data breaches just in the last few months.
Just in November, for instance, the Dallas-based Onsite Health Diagnostics, a medical testing and screening company, which contracts with the state of Tennessee's wellness plan – notified more than 60,000 people that their protected health information was accessed and stored by an "unknown source," for a period of three months back in April. What's more, it took officials some four months to notify those individuals affected.
[See also: Hacker group strikes Boston Children's.]
In August, in the second biggest HIPAA breach ever reported, the Franklin, Tenn.-based Community Health Systems, notified 4.5 million of its patients that their personal information was stolen by cybercriminals who reportedly exploited the Heartbleed vulnerability.
To date, nearly 42 million individuals have had their protected health information compromised in reportable HIPAA privacy and security breaches, according to data from the Department of Health and Human Services. Some nine percent of those are hacking-related breaches.