Protected health information (PHI) breaches have affected 159 million patients since 2009.

The majority have been shown to compromise sensitive demographic or financial information that could contribute to identity or financial fraud, according to an analysis published in the Annals of Internal Medicine.

Study investigators examined all verified cases of PHI breaches indicated by health plans, healthcare clearinghouses, and healthcare providers from October 21, 2009 to July 1, 2019. These data were gathered from reports of breaches affecting ≥500 people published online by the US Department of Health and Human Services. In the final analysis, the sample was comprised of 1461 breaches from a total of 1388 entities affecting approximately 169 million patients in aggregate.

Continue Reading

A total of 3 types of comprised PHI were included in the analysis: demographic information (ie, patient names, email addresses, phone numbers, etc); type of service or financial information (ie, service dates, billing amounts, payment information, etc); and medical or clinical information (ie, diagnoses and treatment).

Related Articles

All breaches included in the sample had ≥1 piece of demographic information. Up to 964 breaches affecting 150 million patients contained sensitive demographic information, such as Social Security or driver’s license numbers. Approximately 35% of the 1461 breaches compromised either service or financial information.

Sensitive financial information, such as credit card or banking account numbers, were compromised in 49 million patients who were affected by 186 breaches. Medical or clinical information was compromised in 944 breaches affecting 48 million patients.

Study limitations were the exclusion of breaches affecting ≤500 people, as well as the potential for some breaches to go unreported or even undiscovered.

The researchers concluded that standardized documentation of comprised PHI breaches may “facilitate the analysis and understanding of breaches and their consequences and the development and adoption of PHI security practices.”


Jiang JX, Bai G. Types of information compromised in breaches of protected health information [published online September 24, 2019]. Ann Intern Med. doi:10.7326/M19-1759