A PHI breach is unauthorized access, use or disclosure of individually identifiable health information that is held or transmitted by a healthcare organization or its business associates. In the United States, personal health information (PHI) whether in electronic, paper or oral form., is protected by the HITECH Act and the Health Insurance Portability and Accountability Act (HIPAA). In recent years, personal health information has become a popular target for criminal computer attacks. This is because PHI is contained within an historical electronic record that not only includes health details, but also valuable data such as date of birth, Social Security number and financial information.
Unlike the illegal appropriation of personal electronic financial information such as credit cards and bank account numbers, personal health information can't easily be canceled or changed. The persistence of that data is what criminals and others who hack into health data, or physically steal printed information or stored data, are after. Often, the attack is carried out to get information that can be used or Medicare or other medical fraud. Other motives include gaining access to health information about public figures, gaining access to health organization computer networks to steal intellectual property, learn about workflow and capabilities of the organization's EHR (electronic health record) system and identity theft.
In 2016, the number of major PHI breaches reported to the United States federal government involved the health data of 15.1 million people, a sharp rise from 2015, when 11.3 million people were affected by reported breaches. The biggest PHI breaches in 2016 as reported to the Office for Civil Rights, which enforces HIPAA, were at Banner Health in Arizona, in a network server hacking attack that involved the PHI of more than 3.7 million patients; and at 21st Century Oncology in Florida in a similar cyberattack that affected more than 2.2 million. Also in 2016, ransomware cyberattacks on healthcare organizations increased in sophistication, frequency and success, according to law enforcement officials and health IT experts. In what was probably the most notorious ransomware strike in recent years, cybercriminals shut down the data system of Hollywood Presbyterian Medical Center in Los Angeles. The 434-bed hospital was forced to use paper records for two to three days, and ultimately paid $17,000 ransom in the bitcoin digital currency to unlock its network.
Healthcare providers, payers and other organizations that handle PHI have started to spend more on cybersecurity and deploy increasingly sophisticated technologies including multifactor authentication, advanced perimeter monitoring, vulnerability testing and identity monitoring. Hospitals, health systems and physician practices have also begun training employees about ransomware and other threats and have been implementing more comprehensive policies to determin who can access PHI.