Why PHI Should Never Be Sent Through Email

Tag: healthcare data breachesHIPAA-compliantPHIsecure PHI transmission

Healthcare organizations handle some of the most sensitive information about individuals, from medical records to Social Security numbers. Protecting this data is not just a legal obligation under HIPAA, it’s essential to maintaining patient trust. Yet despite well-known risks, email remains a frequent channel for exposing personal health information (PHI). 

In the first half of 2025, U.S. healthcare entities reported 379 data breaches exposing the personal health information (PHI) of more than 31 million people (The HIPAA Guide, 7/17/25). 

Why Email Is Unsafe for PHI 

Email is familiar and fast but not built to protect sensitive data. Standard email protocols don’t encrypt messages end-to-end, leaving them vulnerable. When PHI is transmitted via regular email, it can be: 

• Intercepted in transit by cybercriminals 

• Exposed in a compromised inbox if login credentials are stolen 

• Accidentally forwarded to unauthorized recipients 

• Stored long term on servers without proper encryption or access controls 

Such breaches aren’t theoretical. They’re among the leading causes of HIPAA violations and data breaches. 

The Cost of Email Breaches 

The financial impact can be staggering. Healthcare consistently tops the list of most expensive industries for data breaches. The average cost of a healthcare breach soared to $10.93 million in 2023 (IBM). 

More recent data shows that in 2025, the average U.S. healthcare data breach still remains very high at $10.22 million. Even though the global average cost of a data breach fell in 2025 to $4.44 million, healthcare remains the most costly sector (ITPro and DeepStrike). 

Beyond financial loss, breaches can lead to identity theft, medical fraud, and significant emotional harm to patients, especially when intimate personal details are exposed.

Safer Alternatives for Sharing PHI 

Fortunately, there are secure, HIPAA-compliant options for transmitting sensitive data: 

• Secure portals provide protected environments for exchanging information, with restricted access and activity logs 

• Encrypted email tools, such as those included in Microsoft 365 and Google Workspace, ensure only the intended recipient can access the content 

• Secure file transfer systems encrypt files both in transit and at rest, offering audit trails for confirmation of access 

Whenever possible, avoid sending PHI altogether by using identifiers like account numbers or invoice numbers to locate records without sharing names, Social Security numbers, dates of birth, or addresses. 

If your organization uses email encryption, make sure you understand how to enable and verify it. Contact your IT department for guidance on best practices for using encryption tools or for access to secure portals and file transfer systems. 

Bottom line: Email may be convenient, but when it comes to PHI, it’s not worth the risk. Choosing secure alternatives protects patients, reduces financial and reputational risk, and ensures compliance in today’s digital healthcare landscape. 

Secure Systems Still Depend on Secure Practices 

At Allegiance Group, we prioritize protecting sensitive information. Our COLLECTPlus platform is HITRUST certified, meaning its security controls align with the healthcare industry’s most rigorous standards. Yet even the most secure system cannot protect PHI if it’s sent via unsecured email. That’s why using secure tools and following best practices is critical for keeping patient information safe.