- A settlement has been reached in the Sony data breach lawsuit, following the large-scale data breach from 2014 where some employees’ personal information, including medical information, was posted online.
A federal class-action lawsuit had been filed on behalf of approximately 50,000 current and former Sony employees who had their personal, financial and medical information exposed, and a settlement was reached last week, according to The San Diego Tribune.
That lawsuit, along with others, claimed that Sony failed to protect employee data, citing previous breaches of the company’s servers.
"We believe the proposed settlement is a favorable resolution of the claims asserted by the plaintiffs," attorney Daniel C. Girard wrote in the filing, according to the news source.
The Sony data breach also led to a case in US District Court in LA, and a hearing on whether it could achieve class-action status was scheduled for September 14, the Tribune reported. In that case at least 10 former Sony employees sued the company.
This is not the first time that employees have questioned the data security of their employer. As reported by HealthITSecurity.com last year, Wendy Schobert filed a complaint against her former employer, Orion Energy Systems, Inc. after the organization wanted to collect medical information for the company wellness program. If Schobert refused to participate, she reported that then she would have to pay the full $5,000 of her health insurance.
The US Equal Employment Opportunity Commission (EEOC) filed a lawsuit against Orion, stating that the wellness program violated the Americans with Disabilities Act (ADA) as it was applied to Schobert who was fired after she objected to the company program.
“Employers certainly may have voluntary wellness programs – there’s no dispute about that and many see such programs as a positive development,” John Hendrickson, regional attorney for the EEOC Chicago district, said in a statement. “But they have to actually be voluntary. They can’t compel participation by imposing enormous penalties such as shifting 100 percent of the premium cost for health benefits onto the back of the employee or by just firing the employee who chooses not to participate.”
If an organization wants to implement employee wellness programs, it is essential that PHI security remains a top priority. Earlier this year, the Department of Health and Human Services (HHS) even posted clarification on how HIPAA regulations must be considered with such programs. Depending on how wellness programs are structured, they could still be subject to HIPAA rules even if the organization is not a covered entity.
“While the HIPAA Rules do not directly apply to the employer, a group health plan sponsored by the employer is a covered entity under HIPAA, and HIPAA protects the individually identifiable health information held by the group health plan (or its business associates),” HHS stated.
It is also important to remember that when the plan sponsor is administering certain aspects of the plan - like wellness program benefits - PHI could be held by the employer as plan sponsor. HIPAA regulations would also protect employee PHI in that situation.