Steve Ragan reports:
In a breach notification letter sent to employees this week, Sony Pictures outlines the full scope of data that was compromised by attackers shortly before the Thanksgiving holiday.
[…]
“In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, Social Security Number, claims, appeals information you submitted to SPE (including diagnosis and disability code), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to us outside of SPE health plans.”
Unfortunately, unless Sony Pictures, Inc., is a “covered entity” … a healthcare provider, or insurance company, or PHI data processor … I don’t see how HIPAA applies to their breach. Unless DrOz is offering office visits and writing scrips!
Unforgivable for them to even have the information … can’t imagine what their justification would be … but the HR office should have none of this data, nor should anyone within the company. Watching this unravel will be very interesting.
Actually, they seem to administer their own health plan for employees, and their own letter says the data are HIPAA-covered.
Thank you for pointing out the letter, and yes, their self-admission may indicate that they carry their own coverage and are indeed CEs by law, subject to fine and even jail time.
At the same time, that clarity isn’t yet assured… a quick morning review shows one legal opinion Yea (http://abovethelaw.com/2014/12/celebrities-health-information-compromised-by-sony-hacking/); one Nay (http://www.wired.co.uk/news/archive/2014-12/17/former-employees-sue-sony); and a third suggests “While the industry debates whether Sony and all other employers are covered entities under HIPAA…” (http://www.healthleadersmedia.com/content/TEC-311345/In-2015-Target-Online-Security-or-Be-a-Target).
Also pertinent is the recent Connecticut SC decision to allow HIPAA negligence standards to serve as the standard for private right of action.
I do know that many companies make assumptions that they are covered entities when indeed, they are not … and while I would hope Sony’s breach letter writer wasn’t redefining their role accidentally, you cannot overestimate the raw corporate stupidity running throughout this case. ‘Twere written as a movie script, it would get laughed out of the offices!
Thanks for your thoughtful reply. I’m waiting to see if this gets reported to HHS and what/how HHS responds, but it will be quite a while before we know either.
Regardless of whether this falls under HIPAA, I think employees will face the same “standing” issues in any litigation as we have seen in most lawsuits. Can they demonstrate actual harm or “impending” harm and not just “potential” harm or injury.
I also would like to know what federal agency – if any – can go after Sony on data security. Neither FTC nor the NLRB replied to my tweeted inquiries asking whether they have statutory authority to do so. I may email them. 🙂
Located Sony Pictures Entertainment Inc.’s self-insured group health plans (the “HIPAA Plans”) Notice of Privacy Practices (pdf)
You wizard of the web, you! Thanks for this.
In response to your other post and the replies it generated, no, you’re not the only one to find this activity a major crossing of a line in human relations … and it is dismaying to see how quickly the conversation degenerated into a “Kemoy/Matsu” debate irrelevant to the point made. But please know that your efforts are remarkable, and well appreciated by privacy champions, rare as the breed appears.
Thanks, David. There are those who have suggested I’m asking for trouble by publicly appealing to hackers or criticizing them if they put people at risk of harm, but at least I’m consistent, huh? 🙂