What is PHI breach (protected health information breach)?

Why is the healthcare sector vulnerable to data breaches?

In recent years, healthcare organizations in general, and PHI in particular, have become popular targets for criminal, financially motivated cyberattacks. One reason is because PHI can't easily be canceled or changed -- unlike illegally appropriated personal electronic financial information such as credit cards and bank account numbers. The persistence of PHI is what criminals and others who hack into health data, or physically steal printed information or stored data, are after.

PHI is also valuable because it is contained within a historical electronic record that not only includes health details, but also other types of valuable data, such as date of birth, Social Security number and financial information like credit card numbers.

Attackers who can get their hands on this data can potentially misuse it to do the following:

• Engage in identity theft.
• Perpetrate financial or tax fraud.
• File fraudulent insurance claims.
• Blackmail or extort individuals.
• Fraudulently obtain prescription drugs.

Often, such attacks are carried out to get information that the criminal can then use to perpetrate Medicare or other medical fraud.

Other criminal motives for attempting PHI breaches include the following:

• Gaining access to the sensitive or private health information about high-profile public figures.
• Gaining access to health organization computer networks to steal intellectual property.
• Learning about workflow and capabilities of the organization's electronic health record (EHR) system.
• Executing large-scale phishing attacks.

How does HIPAA define a PHI breach?

According to the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), a breach is "an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information."

The above definition of PHI breach under the HIPAA Breach Notification Rule does not hold only in three cases:

• If an employee or authorized individual from a HIPAA-covered entity (CE) or business associate (BA) unintentionally acquired, accessed or used PHI.
• If a person authorized to access PHI at a CE or BA inadvertently disclosed the PHI to another person authorized to access PHI at the CE or BA.
• If the CE or BA believes in good faith that the unauthorized person to whom the impermissible disclosure of the PHI was made, would not have been able to retain the information (reducing the possibility that they would be able to misuse it).

HIPAA also differentiates between a HIPAA breach and a HIPAA violation. A PHI breach is deemed to occur when unsecured PHI is acquired, accessed, used or disclosed in a manner not permitted by the HIPAA Privacy Rule. In contrast, a HIPAA violation means that the CE or BA did not comply with one or more requirements stated in the HIPAA Privacy, Security, or Breach Notification Rules.

HIPAA Breach Notification Rule

In the U.S., HIPAA governs how healthcare organizations protect the privacy and security of individuals' PHI. HIPAA also states certain notification requirements following a breach of unsecured PHI. Here, "unsecured" means PHI that is not unusable, unreadable or indecipherable to unauthorized persons (meaning unauthorized persons could potentially use, read or decipher it).

The HIPAA breach requirements apply to all HIPAA CEs and are laid out in the HIPAA Breach Notification Rule.

The most basic notification requirements are as follows:

• CEs must provide notification of the breach to affected individuals and the Secretary of the Department of Health and Human Services (HHS).
• In certain circumstances (see below), CEs might also be required to provide breach notification to the media.
• BAs must notify CEs if a breach occurs at or by the BA within 60 days of discovering the breach. In such cases, the BA might provide notifications to affected individuals (although the CE remains ultimately responsible for ensuring that all individuals are notified).

The HIPAA Breach Notification Rule clearly states that CEs, on discovering the breach, must notify affected individuals, either in written form or using email, no later than 60 days following the discovery. The notification must include the following details:

• Brief description of the breach and the types of information involved.
• Steps affected individuals should take to protect themselves from potential harm.
• Brief description of what the CE is doing to investigate the breach, mitigate harm, and prevent further breaches.
• Contact information for the CE (or BA, as applicable).

Additionally, the CE must provide a toll-free phone number that remains active for at least 90 days to help individuals learn if their PHI was involved in the breach.

After discovering the PHI breach, the CE must notify the HHS Secretary by filling out the standard breach report form. If the breach is large-scale, i.e., affecting more than 500 individuals, the breach notification should be provided within 60 days of the breach. For breaches affecting fewer than 500 individuals, the CE may notify the Secretary on an annual basis.

In case of a PHI breach affecting more than 500 residents of a State or jurisdiction, the CE must notify the affected individuals and notify prominent media outlets serving that State or jurisdiction in the form of press releases. Like individual notices, media notification must also be provided no later than 60 days following breach discovery.

After sending out all relevant notifications, the CE must maintain documentation that all required notifications were made. Alternatively, they can provide documentation to demonstrate that notifications were not required due to a low probability (calculated after conducting a risk assessment) of PHI compromise.

Penalties for violating HIPAA Breach Notification Rule

HIPAA CEs must follow the breach notification rules, particularly around timelines. Otherwise, they might incur financial penalties from the HHS' Office for Civil Rights (OCR). Several healthcare organizations have incurred hefty penalties imposed by the HHS OCR.

For example, in 2013, Presence Health (now part of Ascension, the largest nonprofit health system in the U.S.) experienced a data breach that resulted in the loss of PHI belonging to more than 800 patients. Despite discovering the breach in October 2013, the organization did not notify OCR until January 2014, over a month after the 60-day notification deadline had passed. Affected patients were also notified well after the HIPAA Breach Notification Rule deadline. These delays and violations led to a penalty of $475,000 on Presence Health.

The importance of risk assessments following a PHI breach

Per the HIPAA Breach Notification Rule, any impermissible use or disclosure of PHI is considered a breach, and the CE must notify all affected individuals and other parties (see the HIPAA Breach Notification Rule section) about the incident.

The only way the CE can avoid sending these notifications is by demonstrating that the incident was not a breach. Specifically, the CE must show that the probability of PHI compromise following an incident is very low. To do so, the CE must perform a risk assessment based on at least these four factors:

• The nature and extent of the PHI involved. Patient names, addresses and email addresses are all PHI so if there are any unauthorized disclosures of these data points, CEs must notify the affected individuals.
• The unauthorized person who used the PHI or to whom the disclosure was made. CEs must send notifications if the unauthorized person was a bad actor, such as a hacker or cybercriminal who could potentially use the information to harm the victims whose data was disclosed.
• Whether this person acquired or viewed the PHI. If the likelihood is high that the PHI was acquired or viewed, the disclosure is more likely to be high-risk, making notifications mandatory.
• Whether the risk to the PHI has been mitigated and to what extent. If the CE has already taken steps to mitigate the risk of unauthorized PHI disclosure, they can mark the disclosure as low-risk and demonstrate that there is little or no need for sending notifications.

Real-world examples of PHI breaches

PHI breaches are an ongoing issue for the healthcare industry.

According to the HIPAA Journal, a provider of HIPAA training, news and regulatory updates, the number of healthcare data breaches has increased year-on-year between 2009 (when HHS OCR first started tracking and publishing summaries of healthcare data breaches on its website) and 2024. The biggest annual increase occurred between 2018 and 2021. In this period, large data breaches (500 or more records) increased by 93.7%.

The number of records exposed, stolen or impermissibly disclosed has also increased over the past few years. In 2021, 60 million healthcare records were breached. This number increased to 168 million in 2023 and 275 million records in 2024.

One of the most high-profile recent PHI breaches occurred at Change Healthcare, a part of Optum Inc. A ransomware attack caused large-scale disruptions of Change Healthcare's systems and led to the breach of 85 million healthcare records, affecting 190 individuals. According to a notice published on the organization's website, the breached PHI involved individuals' contact information, dates of birth, health information like diagnoses and test results, billing and claims information, and health insurance information.

Similar large breaches have also occurred at other healthcare organizations in recent years, affecting millions of individuals and records. The U.S HHS OCR maintains a rolling list of breaches reported in the previous 24 months and the ones currently being investigated by the agency. As of July 2025, the site lists over 800 breach cases, most of them the result of hacking or unauthorized access/disclosure.

Strategies to prevent PHI breaches

Healthcare providers, payers and other organizations that handle PHI have started to strengthen their cybersecurity infrastructure by deploying increasingly sophisticated technologies including multifactor authentication, advanced perimeter monitoring, vulnerability testing and identity monitoring.

Hospitals, health systems and physician practices have also begun training employees about ransomware and other threats, and the importance of adopting good digital hygiene, such as keeping software updated and never clicking on links inside unsolicited emails. Some organizations are also implementing more comprehensive policies to determine who can access PHI, how they can use PHI, and to whom they can disclose PHI.

Some other strategies that healthcare organizations can adopt to minimize the potential for PHI breaches include:

• Use strong passwords for all sensitive systems and update them regularly.
• Limit access to PHI on a need-to-know basis.
• Control physical access to sensitive areas and to devices.
• Restrict the use of personal devices for accessing PHI.
• Conduct an annual risk assessment of the entire IT infrastructure to identify potential vulnerabilities.
• Install antivirus and anti-malware software on all devices.
• Set up wireless routers to operate only in encrypted mode.
• Establishing a comprehensive incident response plan with clear response procedures, roles and responsibilities.

Last year's major healthcare cyberattacks impacted millions, exposing vulnerabilities and underscoring the need for strong cybersecurity to protect patient data. Explore what we can learn from five of these healthcare cyberattacks and check out top cybersecurity strategies for healthcare payers.