What Is a Breach of PHI? Definition and Examples

A breach of PHI (protected health information) is any unauthorized use, access, or disclosure of health information that can identify a specific person. Under HIPAA, the federal law governing health data privacy, any time PHI is improperly handled, it is presumed to be a breach unless the organization can prove there was a low probability the information was actually compromised.

What Counts as Protected Health Information

PHI is any health-related information that can be tied back to a specific individual. That includes the obvious, like medical records, diagnoses, lab results, and prescription histories. But it also includes less obvious data points: names, birth dates, Social Security numbers, phone numbers, email addresses, and even IP addresses or full-face photos, when they appear alongside health information. HIPAA identifies 18 types of personal identifiers. If any one of them is linked to health data, that data qualifies as PHI.

PHI exists in every format. A paper chart left on a desk, an electronic health record in a database, a voicemail from a doctor’s office that mentions a diagnosis, a text message between nurses about a patient. All of it is protected.

How HIPAA Defines a Breach

Under HIPAA’s Breach Notification Rule, any impermissible use or disclosure of PHI is automatically presumed to be a breach. The burden then falls on the healthcare organization (or its business associate) to prove otherwise. To do that, the organization must conduct a risk assessment using four specific factors:

  • What type of information was involved. Did the exposed data include direct identifiers like Social Security numbers or diagnoses, or was it limited to less sensitive details? How easily could someone re-identify a person from the data?
  • Who received or accessed the information. Was the unauthorized person another healthcare provider bound by their own privacy obligations, or was it someone with no reason to have the data at all?
  • Whether the information was actually viewed. There’s a difference between a misdirected email that was returned unopened and one that was read. If the data was never actually acquired or viewed, the risk drops significantly.
  • What steps were taken to reduce the risk. Did the organization retrieve the information, get confirmation it was destroyed, or take other actions to contain the exposure?

Only if the organization can demonstrate, using all four factors, that there is a low probability the PHI was compromised does the incident escape being classified as a breach. If there’s any doubt, HIPAA treats it as a breach.

Common Ways PHI Gets Breached

Breaches range from massive cyberattacks to everyday human mistakes. The most common scenarios fall into a few categories.

Snooping in patient records is one of the most frequent and preventable violations. This happens when a hospital employee looks up a patient’s chart without a legitimate work-related reason, whether out of curiosity about a coworker, a celebrity, or an ex. Even if the employee never shares what they saw, the unauthorized access itself is a breach.

Lost or stolen devices remain a major source of large-scale breaches. A laptop, phone, or USB drive containing unencrypted patient data that goes missing in a car theft or gets left at an airport can expose thousands of records at once.

Improper disposal is surprisingly common. Paper records tossed in a regular trash bin rather than shredded, old hard drives donated or discarded without being wiped, even prescription bottles thrown away with patient labels still attached. All of these create opportunities for unauthorized access.

Sharing PHI with unauthorized people covers a wide range of situations: faxing records to the wrong number, emailing test results to the wrong patient, or discussing a patient’s condition with a family member the patient hasn’t authorized. Social media posts are an increasingly common version of this. A nurse posting a photo from the ER that includes a patient’s face or chart in the background, even unintentionally, is a reportable breach.

The Scale of the Problem

PHI breaches are not rare events. In 2025 alone, at least 710 healthcare data breaches were reported, exposing the protected health information of more than 61.5 million people. Hacking and IT incidents account for the largest share of affected individuals, but smaller breaches caused by human error and insider access are far more numerous in total count.

What Happens After a Breach

Once a breach is confirmed, the organization responsible must notify every affected individual. HIPAA requires this notification within 60 days of discovering the breach. The notice must explain what happened, what types of information were involved, and what steps the person can take to protect themselves.

If the breach affects 500 or more people in a single state or jurisdiction, the organization must also notify prominent local media outlets. Breaches of that size are simultaneously reported to the U.S. Department of Health and Human Services, which publishes them on a public online database sometimes called the “Wall of Shame.” Smaller breaches affecting fewer than 500 individuals are reported to HHS annually in a combined log.

Consequences for Organizations

The consequences of a PHI breach go well beyond the notification letters. HHS’s Office for Civil Rights investigates breaches and can impose financial penalties ranging from thousands to millions of dollars, depending on the severity and whether the organization was negligent. In many cases, the organization enters a corrective action plan that requires them to overhaul their privacy practices under federal oversight.

A corrective action plan typically requires the organization to rewrite its privacy policies and submit them to HHS for approval within 60 days. Once approved, the new policies must be distributed to every employee within 30 days, and each employee must sign a written certification confirming they’ve read and understood them. The organization must then provide updated training at least annually, train new hires within 30 days of their start date, and apply sanctions against any employee who fails to comply. These plans are monitored for years, and the organization must reassess and update its policies at least once a year.

What a Breach Means for You

If your PHI has been breached, you should receive a written notification explaining the incident. That letter will describe what information was exposed and typically offer free credit monitoring or identity theft protection if financial identifiers like Social Security numbers were involved. Beyond taking advantage of those services, it’s worth reviewing your medical records for any unfamiliar entries. Medical identity theft, where someone uses your health information to receive care or file insurance claims, can create inaccurate records that affect your future treatment.

You can also file a complaint directly with HHS’s Office for Civil Rights if you believe a healthcare provider or insurer mishandled your information, whether or not you’ve received a breach notification. There is no cost to file, and the complaint can be submitted online.