Employee personal information – the gift you don’t want to give this Christmas

You may have heard the news of the monumental data hack on Sony late last month, where several personal e-mails, rough cuts of movies, and screenplays were obtained and released without authorization by the media giant. According to several news outlets, the e-mails in particular reveal personal gripes about certain celebrities (shocker!) and have raised allegations of pay disparities among stars and starlets. shutterstock_171929321

Below the surface of these salacious allegations lies a more common problem: employee personal information.  According to reports, hackers also allegedly stole—and are threatening to release—sensitive, personal information belonging to Sony employees, including Social Security numbers and detailed medical information. This has serious implications under the Health Insurance Portability and Accountability Act (HIPAA), which sets the baseline for protection of employees’ protected health information (PHI) across the country. Individual states can add their own protections.

The main issue that arises here is whether the hack, and potential release of the employee information, constitutes a “breach.” If the company determines a breach has occurred, the company must comply with certain notice requirements to its employees. Under the governing HIPAA rules, any impermissible acquisition, access, or use or disclosure of PHI is presumed to be a breach unless the company shows there is a low probability that the PHI has been compromised. That determination is based on a risk assessment using four factors:

  1. the nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification;
  2. the unauthorized person who used the PHI or to whom the disclosure of PHI was made;
  3. whether the PHI was actually viewed or acquired or, alternatively, if only the opportunity existed for the information to be viewed or acquired; and
  4. the extent to which the risk to the PHI has been mitigated.

If the company determines a qualifying breach has occurred, it must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media.

While your company is unlikely to experience the type of calculated and complex invasion that Sony is dealing with (unless you, too, decide to lampoon North Korea), there are certain steps you should take to limit the likelihood of such a breach. First, you should ensure any PHI stored electronically is kept secure through the use of firewalls and encrypted networks. Employers should take particular precaution to ensure their prophylactic measures extend to employee laptops and mobile devices, either company-provided or belonging to employees.

Second, employers should develop appropriate internal policies governing the proper handling of PHI and the importance of maintaining confidentiality. Employers should not only train their employees on these policies and procedures regularly but also train managers on how to enforce the protocols through counseling and discipline if necessary.

Lastly, companies sharing PHI with third-party vendors should ensure they have appropriate Business Associate agreements in place governing the use and controls regarding such information. Taking these steps can go a long way to ensure you don’t end up becoming the next victim of leaked information.