top of page

Why the Dark Web Loves PHI


Private health information, better known as PHI, refers to all of that confidential patient data stored within health organizations’ physical and digital systems. Although PHI laws initially referred to verbal communication and physical documents, the onset of the digital age guaranteed swift legislation aimed at covering that digital gap—for instance, the widely recognized Health Insurance Portability and Accountability Act (HIPAA) law of 1996.

If you work for a healthcare organization, or even occasionally contract with one (as a lawyer or tech support might), then you know just how important and confidential the data on your systems really is!

PHI on the Dark Web

PHI is one of the most valuable types of data on the dark web. It can be used for a variety of illegal purposes, such as identity theft, medical fraud and insurance fraud — which makes it incredibly lucrative data to have.

These dark marketplaces often sell this data in bulk, too, which serves the dual purpose of netting the seller a larger sale and simultaneously making it difficult for individuals to track down and remove their own PHI from the dark web.

Meanwhile, the consequences of having yours available on the dark marketplace can be serious:

  1. Identity theft can be used to commit fraud, open bank accounts and even obtain credit cards.

  2. Cybercriminals can use PHI to target individuals with phishing emails or malware that is designed to steal their personal information; the more they know about you, the more convincing the spear-phishing becomes.

  3. PHI is often used in conjunction with other types of data, such as financial data and social media data, to create a more complete picture of an individual. This information can then be used to target individuals with more sophisticated attacks.

Yes, theft of PHI really is that dangerous! It can be sold for as little as $1 or as much as $1000 for each PHI record, so you need to take care to protect it to the very best of your abilities.


If you believe that your PHI may have been compromised, you should contact your healthcare provider and the appropriate law enforcement agencies immediately! When you’re taking care of other people’s private health information, you need to be vigilant about potential threats to your particular industry and role within the organization.

Ransomware, phishing scams, denial-of-service attacks and even insider threats are just as likely and dangerous to your private data as in any other industry.

There are also many geo-specific laws that mamy pertain to you depending on where you operate. For example, Canada has a nation-wide Personal Health Information Protection Act just like the U.S. has HIPAA. There may also be local privacy laws regarding PHI management, for example the California Confidentiality of Medical Information Act (CMIA) or Ontario’s Personal Health Information Protection Act of 2004.

Clearly, humans all over the world care about protecting their private health information. That’s not the only kind of confidential data that needs to be carefully safeguarded, though. Anyone who handles personally identifiable information (PII) needs to know the industry- and location-specific laws that apply to them in terms of data protection.

Together, we can make the Internet a safer place and keep all of our private data, protected!

0 views0 comments


bottom of page