According to a new study conducted by Verizon, "90% of industries have experienced a PHI breach."

What's PHI? Protected health information - health-related data that's covered by at least one data breach disclosure law.

While Australia doesn't have such laws, the National Privacy Principles do provide an expectation of privacy, Verizon APAC head of security solutions Robert Parker (pictured) told iTWire.

And there have been breaches involving such data in this country, he said, but would not provide specific examples citing confidentiality agreements. (Which is ironic - at least one organisation has somehow revealed data that should have been kept confidential, but is now itself hiding behind the shield of confidentiality.)

Apart from the way the issue affects the health and insurance industries, employers are increasingly running 'wellness' or similar programs for their staff, often in conjunction with outside organisations, and the information collected in the process should be protected. But those administering such programs are not well educated about keeping it secure, he said.

PHI may also be stored in HR systems, perhaps relating to sick leave or workers' compensation claims.

The is an understanding of the need to protect credit card information, for example, but not for the personal information of individuals.

Adding to the problem, "if PHI information is out there, there's not a lot you [the subject] can do."

There have been cases of individuals suffering harm as the result of health information being stolen, he added. It can be used in identity theft, and as certain illnesses and other medical events can attract social stigma, their disclosure can affect the person's personal and professional life, and in some cases open them to blackmail.

"That is a very real scenario, even here in Australia," said Parker.

While Verizon provides security consulting and managed services to Australian organisations, Parker provided a few simple and relatively inexpensive measures that can be taken as a starting point:

• Only collect and store information that is actually necessary.
• Physically secure the information, and destroy it before disposal (eg, shred all paper documents containing PHI).
• Use encryption, so if storage devices are lost or stolen the information remains protected. This can be as simple as enabling features provided in operating systems.
• Make sure employees are not given excessive access privileges (eg, certain IT staff may have admin rights, but they should not be able to view employee data).
• Disable access mechanisms that aren't required by the systems.

Verizon's 2015 Protected Health Information Data Breach Report is available here.