25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Are Fingerprints PII?

Posted By on Feb 5, 2025

Fingerprints are personally identifiable information (PII) inasmuch as they can be used to identify an individual and may enhance security when used with biometric identification software such as scanners and touchpads. However, if fingerprint data is hacked, it can have a permanent impact on the individuals whose PII has been breached.

Fingerprints have been used for more than a century to identify individuals – most often in criminal investigations. Since the availability of automated biometric systems, fingerprints are commonly used to authenticate the identity of individuals when (for example) logging into smartphones, accessing buildings, verifying point-of-sale purchases, or crossing borders.

Fingerprints PII is generally considered to be more secure than other authentication methods such as PINs and passwords because it is harder for a malicious actor to hack a fingerprint. However, while it is possible to change a hacked PIN or password, it is not possible to change a hacked fingerprint and the consequences of a fingerprints PII breach can be permanent.

How Much Does Fingerprints PII Enhance Security?

When a scanner or touchpad captures an image of a fingerprint, the image is converted into a binary code by an algorithm that creates a template based on the minutiae of the fingerprint – i.e., where ridges on the finger join, lake, spur, crossover, or terminate. The template is stored locally on the scanner or touchpad (usually separate from the device’s network), remotely in a central database, or both.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Then, when a user wants to (for example) log into their smartphone using a fingerprint, an image of the user’s fingerprint is captured during the login process. This is compared to the image on the stored template. If the new image and the image on the stored template match, the user is logged into the smartphone. The method sounds secure, but there are ways in which security can be circumnavigated.

Local Device

In 2023, two Chinese researchers published a study demonstrating how it is possible to brute-force a fingerprint-protected Android smartphone in as little as 40 minutes. Simpler methods – such as the gummy bear method and the hi-res photo method – exist if a hacker is able to obtain a copy of the individual’s fingerprint, while it is also possible to circumnavigate fingerprint security with a 3D scanner.

Remote Database

When fingerprints PII – or any other personally identifiable information – is stored in a remote database, the database should be secured against unauthorized access. Unfortunately, some vendors fail to adequately secure remote databases. In 2019, researchers were able to access almost 28 million records maintained on Suprema’s BioStar 2 database – including millions of unhashed fingerprints PII templates.

It is not only the case hackers could use stolen unhashed fingerprints PII templates to commit identity theft. Hackers could also remove fingerprint data from a database – whether hashed or not – and replace it with their own or somebody else’s. This would enable them to use an individual’s identity with their own – or with a third party’s – fingerprints to access buildings, verify point-of-sale purchases, or cross borders.

In Transit between the Two

In theory, when any personally identifiable information in transmitted between a local device and a remote database, PII should be encrypted so it is rendered unusable, undecipherable, and unreadable to any “man-in-the-middle” hacker. However, there are two issues with biometric identification software that result in some vendors failing to ensure fingerprints PII is encrypted in transit as well as at rest.

The first is latency. Encryption delays the speed at which a scanner or touchpad image is matched with the stored fingerprints PII template. Depending on the length of the delay, access to buildings may be timed out, point-of-sale payments may be declined, and border crossings may be denied. The second issue is cost. Encryption increases the cost of biometric identification software to end users.

Overcoming Fingerprint Security Issues

The ways to overcome fingerprint security issues can vary depending on the reason for using fingerprints PII to authenticate the identity of individuals. For example, it can enhance security to add multi-factor authentication to point-of-sale devices; but there is no benefit to adding multi-factor authentication to prevent unauthorized access to a smartphone if a hacker gets possession of the smartphone.

Remote databases are hacked on a daily basis due to the exploitation of software vulnerabilities (i.e., MOVEit), human susceptibility (i.e., phishing), and human error (i.e., weak passwords). Companies responsible for the security of fingerprints PII should conduct penetration tests, train workforce members to recognize phishing attempts, and deploy password managers to enforce the use of strong passwords.

With regards to encryption, any personally identifiable information that could be misused to cause an individual harm should be encrypted regardless of the latency or the cost. The increasing number of lawsuits for biometric data breaches (and new laws protecting biometric data) mean that it may soon no longer be cheaper to take chances with fingerprints PII and other biometric data in transit.

Are Fingerprints PII or PHI in Healthcare?

Fingerprints can be either PII or PHI in healthcare depending on who the fingerprints belong to, what they are used for, and how they are stored. Examples of when fingerprints are PII include when a medical professional has to scan a fingerprint to access a store in which controlled substances are maintained or when a member of the IT team has to scan a fingerprint to access an area in which servers are maintained.

Fingerprints are only PHI in healthcare when they are maintained in a designated record set with information that relates to an individual’s health condition, treatment for the health condition, or payment for the treatment. If an individual’s fingerprints are maintained outside a designated record set, they qualify as PII. Nonetheless, because of the reasons provided above, data must be effectively secured to prevent loss, theft, or compromise.

Healthcare providers unsure about the distinction between fingerprints PII and fingerprints PHI should seek independent compliance advice. Those who require further information about multi-factor authentication, database security, or encrypting fingerprints PII should speak with a data security expert who has knowledge of the healthcare industry and HIPAA compliance.

Author: Owen Bates is an Contributing Editor and HIPAA Subject Matter Expert at The HIPAA Journal, having joined the publication in November 2024. He researches HIPAA compliance topics and writes authoritative reference articles that help readers understand complex regulatory requirements in a clear and practical way. He also reviews and updates existing content to reflect changes to HIPAA regulations, helping ensure the accuracy and relevance of published material. In addition to his editorial work, Owen contributes as a reviewer and tester of The HIPAA Journal Training courses, supporting the development of high-quality educational content. He also advises The HIPAA Journal’s clients on best practices for HIPAA implementation and enforcement. Owen is a psychology graduate of Westmont College, California.

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist