Sony Pictures Entertainment has sent a letter to employees warning them that, along with huge amounts of corporate and employee information, some personal health data belonging to SPE employees may also have been compromised in the attack that hit the company in late November.
The letter, which also was sent to the California Office of the Attorney General, says that the attackers who thoroughly infiltrated SPE’s network may have gotten access to a wide range of personal health data protected by HIPAA, including Social Security numbers, claims appeal information, diagnosis and disability codes, birth dates, home addresses and member IDs. This in addition to the other data that may have been compromised as well, which includes driver’s license numbers, passport numbers, salaries, bank account data and other sensitive information.
The attackers who have claimed credit for the Sony breach, who call themselves Guardians of Peace, have been leaking this information out over the course of the last few weeks. Some of the personal health information and other data already has been published online. Sony’s letter to employees is dated Dec. 8, nearly two weeks after the attack first became public.
“SPE learned on December 1, 2014, that the security of personally identifiable information that SPE received about you and your dependents during the course of your employment may have been compromised as a result of such a brazen cyber attack,” the letter says.
The company also is warning employees about the possibility of phishing attacks against them based on the public knowledge of the breach.
“For your security, SPE encourages you to be especially aware of email, telephone and postal mail scams that ask for personal or sensitive information. Neither SPE nor anyone acting on its behalf will contact you in any way, including by email, asking you for your credit card number, social security number or other personally identifiable information,” the letter says.
HIPAA (Health Insurance Portability and Accountability Act) is the United States law that governs the security and privacy of certain kinds of sensitive health information.