Protecting Employee Health DataAttorney Offers Lessons from Sony, U.S. Postal Service Hacks
The recent hack attacks targeting Sony Pictures Entertainment and the U.S. Postal Service that compromised employee health data illustrate why all organizations - and not just healthcare entities - need to safeguard health-related information, says attorney Susan A. Miller.
In a breach notification letter that Sony Pictures sent to affected employees following its Nov. 24 breach, the company said compromised data included "diagnosis and disability codes; date of birth; home address; member ID number to the extent that an employee and their dependents participated in Sony's health plans; and health/medical information provided to Sony outside of the company's health plans."
In the Nov. 10, 2014, U.S. Postal Service breach, certain health information, including workers' compensation injury claim data, for approximately 485,000 current and former employees was potentially compromised (see Sony's Breach Notification: The Details).
Miller emphasizes in an interview with Information Security Media Group that even if an organization is not required to comply with the HIPAA privacy and security rules because it does not meet the definition of a "covered entity" or "business associate," if it fails to adequately protect health-related information, it could still face costly consequences. Those range from employee lawsuits to regulatory enforcement actions by state or federal agencies.
As a result, any organization that stores employee health information should implement privacy and security policies and procedures, including encrypting communications containing employees' personally identifiable information and health-related data. Also, organizations should prepare a detailed breach response plan that spells out staff responsibilities and invest in a cyber-insurance policy to help cover expenses, she says.
Miller points out that employers' self-funded group health insurance plans must comply with HIPAA's rules for protecting health information. In fact, the Department of Health and Human Services' "wall of shame" website listing major breaches reported under the HIPAA requirements now includes the Sony incident. The entry shows Sony Pictures Entertainment Health and Welfare Benefits Plan as the HIPAA covered entity in the health data breach, which affected 30,000 workers.
In the interview, Miller also discusses:
- Important elements of a breach response plan for incidents involving employees' personally identifiable information;
- The definition of protected health information and the types of organizations that need to safeguard PHI under HIPAA;
- Other regulations that potentially cover breaches that involve employees' personal identifiable information.
Miller is an independent attorney specializing in HIPAA, HITECH Act and other national and state-level healthcare-related issues. She was one of the founders of the Workgroup for Electronic Data Interchange's Strategic National Implementation Process Security and Privacy Workgroup. A frequent speaker at national healthcare privacy and security conferences, Miller has 40 years of professional leadership experience spanning teaching, biochemistry research and law.