Sony hack a security lesson for employers
Documents stolen from Sony by hackers included detailed and identifiable health information of its employees, their children or spouses - a sign of how much information employers have on their workers and how easily it can become public.
One memo by a human resources executive, addressed to the company's benefits committee, disclosed details on an employee's child with special needs, including the diagnosis and the type of treatment the child was receiving. The memo discussed the employee's appeal for thousands of dollars in medical claims denied by the insurance company.
Another document leaked in the hack is a spreadsheet from an HR folder on Sony's servers that includes the birth dates, gender, health condition and medical costs for 34 employees, their spouses and children, who had very high medical bills. The conditions listed include premature births, cancer, kidney failure and liver cirrhosis. The document does not include employees' names.
The health documents are part of a devastating computer attack on the company's Culver City, California-based unit Sony Pictures that sent thousands of files circling the web between various file-sharing sites used by hackers. The information revealed included the salaries of thousands of employees and emails critical of President Barack Obama and Hollywood stars like Angelina Jolie.
The release of the health information could be some of the most damaging material, says Deborah Peel, director of Patient Privacy Rights, a non-profit group. "This stuff will haunt all those people for the rest of their lives.
"Once it is up on the internet, it is up in perpetuity. Health information is the most sensitive information about you."
One email between Sony's insurer Aetna and its HR department over a denied claim contains the name of an employee and the type of surgery the worker's spouse had. Another between health insurer Anthem and Sony's HR department includes the name of an employee and an unresolved claim for speech therapy sessions.
In the memo discussing denied claims for the employee's special-needs child, Sony's HR department went into detail on the child's treatment, how the child was faring, the location of the facility, and conversations the insurer had with the child's care providers.
Peel says that level of detail should not have been shared, especially the child's name, which is not relevant to making a determination about the claim. "This is the absolute worst nightmare for this employee and their family," she says. "Why they are doing this with the name and location and all the identifiable information is beyond me."
Carol Olsby, who has worked in HR at large technology companies, says it was common at her former employers for workers' names and medical conditions to be shared in emails or for the companies to have a file of the most expensive medical claims.
Employers would sometimes get a list of the costliest claims from an insurer to justify a rate increase, she says. For example, if a company had employees who developed costly chronic conditions, like a type of cancer or kidney failure, or had a premature baby, the insurer could argue that rates should rise.
Olsby, who now runs consulting firm Carol Olsby & Associates, says it was quite common for employees to email the human resources department with medical information related to a denied claim. In all cases, she says, the companies would try to keep the information on a "need-to-know basis".