There's another consequence of the Sony Pictures hack that's been less publicized but potentially more serious: the release of sensitive materials about employees' medical bills and health conditions, some including names and identifiable information.
Credit: Getty Images

Juicy Hollywood gossip and a cancelled movie release aside, there's another consequence of the Sony hack that's been less publicized but potentially more serious: the release of sensitive materials about employees' medical bills and health conditions, some including names and identifiable information.

Among the emails and documents stolen from Sony Pictures Entertainment—released over the past few weeks by a hacker group known as Guardians of Peace—was a spreadsheet taken from a human resources server detailing the high medical bills of 34 employees and their families.

These employees were not named on the spreadsheet. But potentially identifiable information (like birth dates and genders) did accompany the tallies of medical costs and conditions for which people were being treated, such as cancer, kidney failure, alcoholic liver cirrhosis, and premature births.

Other leaked documents did include names, plus mentions of rejected insurance claims for employees' children or spouses. reports that in one memo, Sony's HR department "went into great detail on the type of treatment [an employee's special-needs] child was getting, how the child was faring, the location of the facility, and conversations the insurer had with the child's care providers."

This type of breach can be terrifying—even life-changing—for the people directly affected. But it should also be concerning to anyone wondering about his or her own privacy rights, how much companies should know about their employees' health records, and how safe those records really are.

Your privacy rights

Americans are protected by the Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, which sets rules about who can access your medical and insurance records—and that applies to information that's electronic, written, or oral. Under HIPAA, your insurance company cannot share identifiable medical information with your employer without your consent.

But employees often do consent (sometimes without realizing it) by signing paperwork when they're hired, says Lara Cartwright-Smith, JD, MPH, associate research professor at the George Washington University Milken Institute School of Public Health and co-director of They may also reveal sensitive information voluntarily—for example, when seeking help from their benefits department in getting claims approved.

HIPAA doesn't apply to most employers—only to health plans and health-care providers—so once your employer has sensitive health information, it's not required to protect it in the same way. And generally, privacy rights aren't protected in the event of a crime, says Cartwright-Smith—assuming that the victim of that crime (Sony, in this case) had done everything in its power to prevent it.

"Think of it as if someone broke into your doctor's office and stole your chart," she says. "Your doctor didn't do anything wrong, so he's probably not going to be liable. And digital files these days can be just as secure or as unsecured as paper files."

Emailing about employee's claims or keeping files of expensive medical bills doesn't seem problematic in itself, Cartwright-Smith adds, assuming the materials were being used for legitimate business reasons and not for invasive or discriminatory purposes.

Your employer's responsibility

Pam Dixon, executive director of the non-profit World Privacy Forum, agrees that a spreadsheet of high medical costs is "probably not an unusual list to see in the HR department." But she says Sony has an obligation to keep that information protected, and to limit unnecessary risks. "I would certainly consider it best practices not to be discussing employee health matters in emails and in unsecured ways."

And Sony may be held accountable if it's found that the company did not take necessary steps to safeguard such materials, she says. Dixon cites the recent case of a mental health clinic in Alaska that was hacked and later fined by the government for failing to update its virus-protection software.

"I think this is a watershed moment for sensitive information," Dixon says. "If you have not kept up-to-date with your security, if you're not providing really state-of-the-art protection for this kind of sensitive information, you have liability."

Under the Federal Trade Commission's Health Breach Notification Rule, companies that collect personal health information must notify employees if that information becomes compromised or leaked, Dixon says. California also has its own laws which require employers to keep medical records secure and to notify employees in the event of a breach.

In fact, former Sony employees this week filed two different class-action lawsuits against Sony for failing to protect their data and for not notifying them about the hack in a timely manner. They say Sony knew about digital security weaknesses for years and failed to take precautions such as using firewalls, encrypting files, and storing data on protected networks. Sony Pictures did not immediately return Health's requests for comment on the lawsuit.

How to protect yourself

You may not be able to keep all of your health information private from your employers—they have a right to ask for doctor's notes, justification for family leave, or medical information that can directly impact how you do your job—but you can limit what they have access to.

"Read everything before you sign when you're filling out insurance paperwork or anything related to a workplace wellness program," Cartwright-Smith says, "and make sure you understand where your health information is going to be shared."

Dixon says the Sony hack will likely force other companies to take a good look at their own security and will hopefully put new safeguards in place across all industries. To be sure your employer is paying attention, just ask.

"For anyone who has a chronic health condition or who has family with a chronic condition, it's not a terrible thing to go to HR and say, 'I'm really concerned about what happened; what procedures do you have in place to ensure it doesn't happen here?'" Dixon says. "I do believe that most employers at this point are putting it on very high priority to review these procedures."

Employees can also protect themselves by requesting and keeping their own copy of their current medical record from their insurance company and their doctor, Dixon says. That way if someone does steal your health information and use it to seek their own medical treatment—a crime known as medical identity theft—you'll have a "before" copy to help separate legitimate entries from illegal ones.

Keeping private health information off social media can also protect you in the event that your medical records are hacked or shared unlawfully, Dixon says. "If you've posted information somewhere else in the past that wasn't secured, you may lose a lot of your confidentiality rights."

Finally, she says, don't include personal information in work correspondences and avoid discussing serious health issues with coworkers. "If there's a casual conversation around the water cooler, no problem—but just keep it light, and keep it out of email."