The recent data breach at Sony Pictures Entertainment was one of the most damaging and costliest cyber attacks in U.S. history. Hackers claiming to be the “Guardians of Peace 'GOP'” infiltrated the movie studio's servers, stealing over 100 terabytes of sensitive data. Among the stolen data includes email correspondences between Sony executives and actors, employees' salary, social security numbers, and HIPAA-protected health records.
According to media reports, the GOP stole, and subsequently leaked, a spreadsheet document containing medical procedures undertaken by Sony Pictures Entertainment employees in 2012. Other documents stolen during the attack reveal employee names, social security numbers, insurance claim numbers, employee identification numbers, phone numbers and home addresses.
Health information such as this is a cyber criminal's dream come true. When a hacker steals sensitive health data, he or she can sell it on the black market – usually at a price higher than traditional credit card and debit card information. The stolen-and-then-purchased medical data may then be used for illegal activities like identity fraud and/or insurance fraud. This is one of the many reasons why doctors and other healthcare providers should take a proactive approach towards protecting their patients' files.
So, what's going to happen to Sony Pictures Entertainment now that it has acknowledged the theft of HIPAA-protected documents? Initially passed by Congress in 1996, the Health Insurance Portability and Accountability Act focuses on healthcare providers and insurers, neither of which is Sony.
But that doesn't necessarily mean Sony is immune to consequences from the 2014 breach. If federal investigators determine that Sony failed to take measures to protect its data, such as encrypting files, the movie studio could be subject to fines. In the wake of this incident, Sony must also notify all individuals whose data was leaked.
“In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, Social Security Number, claims, appeals information you submitted to SPE (including diagnosis and disability code), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to us outside of SPE health plans.” wrote Sony Pictures Entertainment in a letter describing the cyber attack.
The letter sent by Sony also urges employees to take advantage of AllClearID identity protection for the next 12 months, and to beware of phishing attacks and other forms of malicious messages.