(Bloomberg) — Documents stolen from Sony Corp. by hackersinclude detailed and identifiable health information on more thanthree dozen employees, their children or spouses — a sign of howmuch information employers have on their workers and how easily itcan become public.

One memo by a human resources executive, addressed to thecompany's benefits committee, disclosed details on an employee'schild with special needs, including the diagnosis and the type oftreatment the child was receiving. The memo discussed theemployee's appeal of thousands of dollars in medical claims deniedby the insurance company.

Another document leaked in the hack is a spreadsheet from ahuman resources folder on Sony's servers that includes the birthdates, gender, health condition and medical costs for 34 Sonyemployees, their spouses and children who had very high medicalbills. The conditions listed include premature births, cancer,kidney failure and alcoholic liver cirrhosis. The document doesn'tinclude employees' names.

A Sony spokesperson didn't respond to a request for comment.

The health documents are part of a devastating computer attackon the company's Culver City, California-based unit Sony Picturesthat sent thousands of files circling the Web between variousfile-sharing sites used by hackers. The information revealed hasincluded the salaries of thousands of employees and e-mails takingshots at President Barack Obama and at Hollywood stars likeAngelina Jolie. The release of the health information could be someof the most damaging material, said Deborah Peel, director ofPatient Privacy Rights, a non-profit group.

Most Sensitive

"This stuff will haunt all those people the rest of their lives.Once it's up on the Internet it is up in perpetuity," Peelsaid.

"This is a thousand times worse than that other stuff," shesaid, referring to salary information and personal e-mails. "Healthinformation is the most sensitive information about you."

Hackers who call themselves Guardians of Peace have beenreleasing batches of documents every few days since the breachgarnered global headlines Nov. 25. Sony is conducting an internalprobe that has linked the attack to hackers known as DarkSeoul,according to two people familiar with the company's investigation.Media reports have tied the group to North Korea. Tokyo-based Sonyhasn't made that association publicly.

Denied Claims

One e-mail between Sony's insurer, Aetna Inc., and its humanresources department over a denied claim contains the name of anemployee and the type of surgery the worker's spouse had. Anotherbetween health insurer Anthem Inc. and Sony's human resourcesdepartment includes the name of an employee and an unresolved claimfor speech therapy sessions.

In the memo discussing denied claims for the employee'sspecial-needs child, Sony's human resources department went intogreat detail on the type of treatment the child was getting, howthe child was faring, the location of the facility andconversations the insurer had with the child's care providers. Peelsaid that level of detail shouldn't have been shared, especiallythe child's name, which isn't relevant to making a determinationabout the claim.

"This is the absolute worst nightmare for this employee andtheir family," said Peel. "Why they are doing this with the nameand location and all the identifiable information is beyondme."

Not Uncommon

Carol Olsby, who has worked in human resources at largetechnology companies, said it wasn't uncommon at her formeremployers for workers' names and medical conditions to be shared ine-mails or for the companies to have a file of the most expensivemedical claims.

Employers would sometimes get a list of the costliest claimsfrom an insurer to justify a rate increase, she said. For example,if a company had employees who'd developed costly chronicconditions, like a type of cancer or kidney failure, or had apremature baby, the insurer could argue that rates should rise.

Olsby, who now runs consulting firm Carol Olsby & AssociatesInc., also said it wasn't uncommon for employees to e-mail humanresources with medical information related to a denied claim. Inall cases, she said the companies would try to keep the informationon a "need-to-know basis."