An American hospital discovers that attackers accessed one of its databases. Investigators estimate that records belonging to more than 500 patients have been exposed, triggering a legal obligation to notify both the affected individuals and local media outlets. Which type of data was most likely compromised?
Protected health information (PHI) is any individually identifiable health data-such as diagnoses, treatment details, or prescriptions-maintained or transmitted by a covered entity. Under the HIPAA Breach Notification Rule, a breach involving the unsecured PHI of more than 500 residents of a state or jurisdiction requires the covered entity to notify the affected individuals and prominent media outlets within 60 days. Because that 500-person threshold and media-notice requirement apply specifically to PHI, the stolen data was almost certainly PHI, not general PII, payment-card data (PCI), or another category.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.