Sony: Employee Health Information May Have Been Compromised

Sony Pictures Entertainment has sent a letter to employees warning them that, along with huge amounts of corporate and employee information, some personal health data belonging to SPE employees may also have been compromised in the attack that hit the company in late November.

Sony Pictures Entertainment has sent a letter to employees warning them that, along with huge amounts of corporate and employee information, some personal health data belonging to SPE employees may also have been compromised in the attack that hit the company in late November.

The letter, which also was sent to the California Office of the Attorney General, says that the attackers who thoroughly infiltrated SPE’s network may have gotten access to a wide range of personal health data protected by HIPAA, including Social Security numbers, claims appeal information, diagnosis and disability codes, birth dates, home addresses and member IDs. This in addition to the other data that may have been compromised as well, which includes driver’s license numbers, passport numbers, salaries, bank account data and other sensitive information.

The attackers who have claimed credit for the Sony breach, who call themselves Guardians of Peace, have been leaking this information out over the course of the last few weeks. Some of the personal health information and other data already has been published online. Sony’s letter to employees is dated Dec. 8, nearly two weeks after the attack first became public.

“SPE learned on December 1, 2014, that the security of personally identifiable information that SPE received about you and your dependents during the course of your employment may have been compromised as a result of such a brazen cyber attack,” the letter says.

The company also is warning employees about the possibility of phishing attacks against them based on the public knowledge of the breach.

“For your security, SPE encourages you to be especially aware of email, telephone and postal mail scams that ask for personal or sensitive information. Neither SPE nor anyone acting on its behalf will contact you in any way, including by email, asking you for your credit card number, social security number or other personally identifiable information,” the letter says.

HIPAA (Health Insurance Portability and Accountability Act) is the United States law that governs the security and privacy of certain kinds of sensitive health information.

Suggested articles

Discussion

  • Walt on

    I think this opens a can of worms for many organizations. I don't think many organizations adhere to HIPPA for their HR Data and Emails. The conventional thought is HIPPA is for medical providers and such. Not regular businesses that might have an email from HR about someones insurance claim. I think in time our government has to make it clear what is protected and what needs to be followed. Right now we all have to interpret the laws ourselves. CA has a law for "confidentiality of medical information" that doesn't read well for IT Departments. I'm sure other states have the same. It would be great for threatpost to offer guidance. I can't be the only one in a smaller organization wondering what we need to do to meet these legal requirements. Title "Do you have to make your HR Department Data and Emails HIPPA Compliant"?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.