This morning, the headlines will bemoan Sony Pictures' decision to scrap plans to release the Seth Rogen/James Franco film The Interview—a comedy about a pair of doofuses who conspire to assassinate North Korean dictator Kim Jong Un—because of threats from hackers linked to North Korea.
Social media will erupt with heated discussions about the hypocrisy of a Hollywood system unwilling to stand behind its creative offerings. People around the world will argue about balancing creative freedom against the potential harm of moviegoers, and we will all tire of seeing links to the various stories on our Facebook feeds.
All it means is people, en masse, are missing the point. As we covered here earlier this week, the Sony hack which has led the current news cycle also exposed a variety of personal health information belonging to staffers with Sony Pictures.
The mainstream media, which is easily distracted by Kim Kardashian, has not bothered to pick up on the very serious and very threatening exposure to every American's personal health information (except for Bloomberg/Washington Post). Worse, the break-in reveals some very dangerous exposure for healthcare businesses and their corporate clients who may be the next to suffer at the hands of hackers.
Who's responsible?
First, let's review: Data breaches cost the healthcare industry an estimated $5.6 billion annually. Still, only about 69% of organizations have a data breach plan in place, according to a 2013 survey of health security staff. The majority of these breaches take place at the source, the healthcare institutions themselves, while the Sony hack culled private info from a third party—Sony's HR department.
Of course, the first thing most healthcare insiders will say is, "Well, as a third party, Sony isn't covered by HIPAA, so it's not an illegal violation of regulations." Technically, that's true, but the issue doesn't end there. While CMS would be hard-pressed to sanction Sony, the US court system is not quite so forgiving. While the Sony hack won't likely result in any healthcare-related lawsuits, let's play a little "what if?"
What if the personal healthcare information made public by the Sony hack included the name of a popular leading man, an actor whose career has been made playing the handsome hero and love interest for their female leads—and that actor's treatment for HIV-related conditions? Well, that leak of information could destroy his popularity and his career, so it would represent dramatic harm to his livelihood. His well-paid Hollywood attorney would sue everyone in the food chain of that information, including Sony, his doctors, the hospital where treatment was rendered and the insurance company. The strategy for those lawsuits is to go for the deepest pockets, and sue everyone in hopes someone will flip on the other defendants.
Now, how much would that cost those healthcare institutions in legal fees, bad publicity and settlement awards? That's a case that could add a nice chunk to the $5.6-billion toll already being extracted for mismanaging healthcare information, and that is only a single case.
The industry should not be distracted by the Hollywood element of the Sony hack and take a serious look at how it trafficks information back and forth between employers, insurance claims staff, benefits managers and patients. Moreover, in a profession where many of the employees actually have direct responsibility for human lives, we need to look past HIPAA and possible court sanctions.
Every patient has a reasonable expectation of privacy with regard to their health records, regardless of whether HIPAA has a regulation for every specific scenario for that information getting out into the public purview. That's a sacred trust, and not a place for splitting hairs.
Dr. Deborah Peel, director of the Patient Privacy Rights Foundation, summed it up earlier this week.
"This stuff will haunt all those people the rest of their lives. Once it's up on the Internet it is up in perpetuity," Peel said. "This is a thousand times worse than that other stuff. Health information is the most sensitive information about you... This is the absolute worst nightmare for this employee and their family. Why they are doing this with the name and location and all the identifiable information is beyond me."
Why, indeed.