Documents stolen from Sony Corp. by hackers include detailed and identifiable health information on more than three dozen employees, their children or spouses -- a sign of how much information employers have on their workers and how easily it can become public.
One memo by a human resources executive, addressed to the company’s benefits committee, disclosed details on an employee’s child with special needs, including the diagnosis and the type of treatment the child was receiving. The memo discussed the employee’s appeal of thousands of dollars in medical claims denied by the insurance company.
Another document leaked in the hack is a spreadsheet from a human resources folder on Sony’s servers that includes the birth dates, gender, health condition and medical costs for 34 Sony employees, their spouses and children who had very high medical bills. The conditions listed include premature births, cancer, kidney failure and alcoholic liver cirrhosis. The document doesn’t include employees’ names.
A Sony spokesperson didn’t respond to a request for comment.
The health documents are part of a devastating computer attack on the company’s Culver City, California-based unit Sony Pictures that sent thousands of files circling the Web between various file-sharing sites used by hackers. The information revealed has included the salaries of thousands of employees and e-mails taking shots at President Barack Obama and at Hollywood stars like Angelina Jolie. The release of the health information could be some of the most damaging material, said Deborah Peel, director of Patient Privacy Rights, a non-profit group.
“This stuff will haunt all those people the rest of their lives. Once it’s up on the Internet it is up in perpetuity,” Peel said.
“This is a thousand times worse than that other stuff,” she said, referring to salary information and personal e-mails. “Health information is the most sensitive information about you.”
Hackers who call themselves Guardians of Peace have been releasing batches of documents every few days since the breach garnered global headlines Nov. 25. Sony is conducting an internal probe that has linked the attack to hackers known as DarkSeoul, according to two people familiar with the company’s investigation. Media reports have tied the group to North Korea. Tokyo-based Sony hasn’t made that association publicly.
One e-mail between Sony’s insurer, Aetna Inc., and its human resources department over a denied claim contains the name of an employee and the type of surgery the worker’s spouse had. Another between health insurer Anthem Inc. and Sony’s human resources department includes the name of an employee and an unresolved claim for speech therapy sessions.
In the memo discussing denied claims for the employee’s special-needs child, Sony’s human resources department went into great detail on the type of treatment the child was getting, how the child was faring, the location of the facility and conversations the insurer had with the child’s care providers. Peel said that level of detail shouldn’t have been shared, especially the child’s name, which isn’t relevant to making a determination about the claim.
“This is the absolute worst nightmare for this employee and their family,” said Peel. “Why they are doing this with the name and location and all the identifiable information is beyond me.”
Carol Olsby, who has worked in human resources at mid-sized and large technology companies, said employers who aren’t self-insured may receive aggregate financial data for unusually large medical claims if the insurance broker is justifying a significant rate increase.
For example, if a company had employees who’d developed costly chronic conditions, like a type of cancer or kidney failure, or had a premature baby, those would be considered serious medical conditions and the insurer could argue that rates should rise. She said employee names and personal information wouldn’t be shared.
Olsby, who now runs consulting firm Carol Olsby & Associates Inc., also said some employees may e-mail the company’s human resources department with medical information if a claim is denied. Human resources would investigate the situation and determine if they need to contact the insurance company. The information would only be provided to those “who would have a need to know.”