e-PHI Data Security: What is e-PHI Data Theft?

PHI stands for protected health information and includes just what it sounds like: identifiable information in a person’s health data records, such as health details, date of birth, Social Security number, fingerprints, photos/images, and even financial information. e-PHI is the same thing, it’s just used, held, and transmitted via electronic form (there are actually 18 types of e-PHI). This personally identifiable health data is used to keep a history of accurate health records, but because PHI holds so much personally identifiable and valuable information — and because the majority of health records have become electronic — they’ve also become a huge target of cyber criminals.

PHI and e-PHI Data Theft

PHI data theft, e-PHI data theft, or a PHI breach is the “unauthorized access, use, or disclosure of individually identifiable health information that is held or transmitted by a healthcare organization or its business associates.” This applies to electronic, paper, or oral transmissions. This information is often stolen to be used in a way that gives PHI thieves:

  • Access to data that can be used, like identity theft.
  • The ability to commit Medicare or medical fraud.
  • Access to health information about public figures.
  • Access to health organization computer networks.
  • The ability to steal intellectual property.
  • The ability to learn the workflow and capabilities of the health organization’s EHR.

And unlike financial hacking, such as those found with credit card numbers and bank accounts, mitigating the effects of hacked personal health information isn’t as easy as canceling a card or changing a bank account number.

PHI Data Theft Stats

Healthcare data breaches are on the rise — 2017 saw more reported data breaches than any other year since records were first published in 2009 — and most of these now come from hacking and IT incidents. In addition, from 2009 to 2017, there were 2,181 healthcare data breaches that involved more than 500 records (the Department of Health and Human Services’ Office for Civil Rights doesn’t publish healthcare data breaches below 500 records), which resulted in the theft or exposure of 176,709,309 healthcare records — or roughly 50% of the U.S. population.  

How to Protect PHI and e-PHI

PHI and e-PHI are protected by two acts: the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 and the HIPAA (Health Insurance Portability and Accountability Act) of 1996. Both acts mandate certain IT requirements for healthcare organizations, so your best plan of action would be to make sure those IT requirements and data security measures are in place. Next, make sure you have a strong IT company on your team that not only gives you access to the latest technologies, but makes sure your healthcare IT measures are always being met. Finally, it’s always important to make sure that all members of your healthcare team are trained to spot and avoid potential IT risks.