Dive Brief:
- While the gossip columnists and bloggers eat up stories coming out of the Sony Pictures email cyberattack, a leading patient privacy activist is calling the release of employee healthcare information a very serious problem, according to an article from Bloomberg Business News.
- Among the publicly released documents are: an email to Aetna about a denied claim that contained the employee and the worker's spouse's type of surgery; an email to Anthem about an unresolved speech therapy session claim that included the employee's name; and a memo to Sony Pictures' benefits committee by a human resource executive on an insurer's claim denial of an employee's child, which included details on the child's diagnosis, name, treatment and treatment facility location.
- "This stuff will haunt all those people the rest of their lives," said Dr. Deborah Peel, MD, Director of the Patient Privacy Rights Foundation. "Once it's up on the Internet it is up in perpetuity."
Dive Insight:
Dr. Peel is right: This is far more serious than spoilers about the next Spider-Man movie or nasty insults from studio executives about movie stars (even though that picture of Angelina Jolie running into Sony executive Amy Paschal, whose hacked email called Jolie "spoiled and minimally talented" is totally a keeper).
Lest we get too distracted by the incredibly entertaining gossip being generated by the hack, it's time for all executives in every company to start taking the privacy of their employees' patient records seriously. Quite frankly, any human resources director that compromises HIPAA protected healthcare data should be fired on the spot.
Sony's reaction to the healthcare concerns stated by Dr. Peel will be critical, and likely be used either as a playbook for how to handle such breaches, or the cautionary tale of what not to do. Either way, companies need to look past the mainstream media's coverage of the Sony hack and buckle down their own HR operations.
The best way to prevent this information from getting out is to follow the HIPAA guidelines and keep confidential patient information out of the company email system and away from HR departments with a cavalier attitude about their employees' private records.