PHI (Protected Health Information) is sensitive medical data, like patient names, birthdates, and medical record numbers, that is governed by laws and regulations and counts as a high-value target whose compromise creates serious data security risk.
PHI stands for Protected Health Information. It's the medical version of sensitive personal data: patient names tied to health records, birthdates, medical record numbers, diagnoses, and anything else that links a real person to their medical care. Because laws and regulations protect this data, PHI sits in the "highly sensitive" bucket the CED flags in EK 5.1.C.2.
In AP Cybersecurity terms, PHI matters because of what happens when it leaks. EK 5.1.C.1 breaks data risk into the CIA triad: confidentiality (unauthorized people see it), integrity (someone alters it), and availability (it gets destroyed or encrypted out of reach). PHI is a prime example of data where all three really hurt. A healthcare provider storing patient names, birthdates, and medical record numbers in a weakly encrypted database is exactly the kind of high-risk scenario the CED describes, sensitive regulated data exposed to a likely exploit.
PHI lives in Unit 5: Securing Applications and Data, topic 5.1. It supports learning objective AP Cybersecurity 5.1.C, where you assess and document risks from data vulnerabilities. The reason PHI keeps coming up is the risk-rating logic in EK 5.1.C.2: high risk means highly sensitive data (the kind governed by laws or regulations) facing a likely exploit. PHI checks both boxes. When you do a risk assessment on the exam, PHI is the data type that pushes a finding into the high-severity zone, so recognizing it tells you how serious a vulnerability really is.
Keep studying AP Cybersecurity Unit 5
Visual cheatsheet
view galleryPII (Personally Identifiable Information) (Unit 5)
PHI is basically PII with a medical layer on top. PII is any data that identifies a person; PHI is that identity tied to health records. Both are regulated, both are high-risk, and on the exam they trigger the same "highly sensitive data" reasoning.
PCI (Payment Card Industry data) (Unit 5)
PHI, PII, and PCI are the three big categories of regulated, high-value data. PCI covers credit card info. Spotting which category you're looking at is how you justify a high risk rating in a 5.1.C assessment.
Data at rest (Unit 5)
The classic PHI scenario is a database with weak encryption, which is PHI sitting as data at rest. EK 5.1.A.1 warns that anyone with drive access can read unencrypted files, so PHI at rest with bad encryption is a confidentiality breach waiting to happen.
Application attacks like SQL injection (Unit 5)
PHI usually lives in a database behind a web application, so the attacks in 5.1.B (SQL injection, weak input checks) are often the path an adversary takes to steal it. The vulnerability is the door; PHI is what's behind it.
Expect PHI in multiple-choice questions as the answer to "which term describes this sensitive data at risk?" A typical stem describes a healthcare provider storing patient names, birthdates, and medical record numbers in a weakly encrypted database, and you pick the data category. Your job is recognition plus risk reasoning: identify the data as PHI, then connect it to the high-risk logic in EK 5.1.C.2 (regulated data + likely exploit = high severity). No released FRQ has used PHI verbatim, but it fits cleanly into any risk-documentation prompt under 5.1.C where you weigh impact against likelihood.
PII is the broad category of data that identifies a person (name, SSN, email). PHI is the narrower, healthcare-specific slice: identifying data linked to medical records, diagnoses, or treatment. Every piece of PHI involves PII, but plenty of PII isn't PHI. If the scenario mentions a hospital, clinic, patient, or medical records, reach for PHI.
PHI (Protected Health Information) is sensitive medical data like patient names, birthdates, and medical record numbers that is protected by law.
Because PHI is regulated and highly sensitive, it triggers the high-risk rating described in EK 5.1.C.2 during a data risk assessment.
PHI compromise can hit any part of the CIA triad: confidentiality if it's seen, integrity if it's altered, availability if it's destroyed or encrypted.
PHI is PII with a medical layer; it's still PII, just the healthcare-specific kind.
A weakly encrypted database of patient records is the textbook PHI-at-risk scenario the exam uses.
PHI is Protected Health Information, meaning sensitive medical data tied to a real person, such as patient names, birthdates, and medical record numbers. The CED treats it as highly sensitive, regulated data, so it counts as a high-risk asset in a data risk assessment under topic 5.1.
No, not exactly. PHI is a specific type of PII tied to health and medical records. All PHI is PII, but most PII (like your email or home address alone) isn't PHI. If a question mentions a hospital, clinic, or patient records, it's pointing at PHI.
Because EK 5.1.C.2 says high risk comes from highly sensitive data, especially data governed by laws or regulations, that faces a likely exploit. PHI is legally protected and very sensitive, so exposing it lands you squarely in the high-severity category.
PHI is usually stored in databases, which makes it data at rest. EK 5.1.A.1 warns that unencrypted files can be read by anyone with drive access, so a weakly encrypted PHI database is a classic confidentiality vulnerability the exam likes to test.
Anything that links a person to their healthcare: patient names, birthdates, medical record numbers, diagnoses, and treatment details. The signal in an exam scenario is a healthcare provider plus identifiable patient information.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.