What is the W-2 phishing (BEC) scam?

It's a business email compromise scam the IRS has repeatedly warned about: a criminal spoofs an executive's email and asks someone in payroll or HR to send a list of all employees and their Forms W-2. If the request is honored, the attacker gets every employee's name, Social Security number and wage data — enough to file fraudulent tax returns. The IRS advises routing W-2 requests through an official process such as the employer's HR portal, and using a two-person review for any bulk payroll request.

How does employee self-service reduce W-2 fraud risk?

It removes the request the scam depends on. When every employee retrieves their own W-2 from the portal, payroll never needs to assemble or email a bulk list of W-2s — so there is no 'send me everyone's W-2' workflow for an attacker to impersonate. The IRS itself points employers toward handling these requests through an HR portal rather than email.

Is employee tax data protected by HIPAA?

Generally no. HIPAA protects patient health information (PHI). Employee tax and identity data — W-2s, T4s, Social Security or Social Insurance numbers — is governed by other privacy, security and tax-safeguarding obligations. It is still highly sensitive and a frequent fraud target, so it warrants the same core safeguards: least-privilege access, audit logging, encryption, and keeping the data in your environment.

What safeguards most reduce the risk for both data streams?

Four do the heavy lifting: role-scoped least-privilege access (people see only their own data — or, for clinicians, only their own patients), full audit logging of every access, encryption in transit and at rest, and strong identity through your existing single sign-on. Running on-premises adds a fifth: there's no third-party cloud copy to breach.

Security & compliance

Securing employee tax data and PHI in a hospital

Updated June 2026 · Reviewed by David Higginson, CHIME Innovator of the Year

Two kinds of sensitive data flow through a hospital's systems, and both are prime targets. The good news: the same handful of safeguards protect both — and one of them is simply not creating the risk in the first place.

A hospital protects two streams of sensitive personal data: employee tax and identity data (pay statements, W-2s and T4s, Social Security and Social Insurance numbers) and protected health information (PHI) (patient records). Both are valuable to attackers — tax data for refund fraud, PHI for its resale value — and both are protected by the same core controls: least-privilege access, full audit logging, encryption, and keeping the data where you control it.

This guide is general information, not legal or security advice. Confirm your obligations and controls with your security officer.

The threat to employee tax data: the W-2 phishing scam

The IRS has warned employers for years about a specific business email compromise (BEC) scam: an attacker spoofs an executive's email and asks payroll or HR for a list of all employees and their Forms W-2. One reply hands over every employee's name, SSN and wages. BEC was among the costliest cybercrimes of 2024, with billions in reported losses, and W-2 theft is a recurring variant.

The IRS's own advice

Route W-2 requests through an official process — such as the employer's HR portal — rather than email, and use a two-person review for any bulk payroll request. In other words: the safest place for a W-2 is behind authenticated self-service, not in an inbox.

This is where employee self-service does more than save time — it removes the attack. When every employee pulls their own W-2 from the portal, there is no bulk W-2 list for anyone to assemble or email, so the request a BEC scam impersonates simply doesn't exist.

The threat to PHI

Patient data is a perennial breach target. The HIPAA Security Rule requires covered entities to protect ePHI with administrative, physical and technical safeguards, including access controls and audit controls. For a portal that exposes patient records to outside clinicians, the essential protections are that access is scoped to the right patients, every view is logged, and nothing is copied out of the hospital's control. (See HIPAA-compliant hospital portals for the full picture.)

The safeguards that matter — for both streams

Least-privilege, role-scoped access. Employees see only their own documents; clinicians see only their own patients. No broad access "just in case."
Audit logging. Every access recorded — who, what, when, from where — so anomalies are visible and reviews are possible.
Encryption. Data protected in transit and at rest.
Strong identity. Authentication through your existing single sign-on, so access follows the directory you already manage and ends when employment does.
Data stays in your environment. On-premises deployment means no third-party cloud copy to breach.

Where this fits at Bluefish

The Employee Portal gives every employee self-service access to their own pay and tax documents — role-scoped, logged, and running on-premises — so payroll never emails a W-2 list. HealthPoint gives referring physicians a read-only, fully audited view of only their own patients' records, without exporting data from your EMR. For the workforce rules behind tax-form delivery, see electronic W-2 access and electronic T4 access.

Sources: IRS — Form W-2/SSN data theft: information for businesses and payroll service providers · HHS — HIPAA Security Rule.

Frequently asked questions

What is the W-2 phishing (BEC) scam?: It's a business email compromise scam the IRS has repeatedly warned about: a criminal spoofs an executive's email and asks someone in payroll or HR to send a list of all employees and their Forms W-2. If the request is honored, the attacker gets every employee's name, Social Security number and wage data — enough to file fraudulent tax returns. The IRS advises routing W-2 requests through an official process such as the employer's HR portal, and using a two-person review for any bulk payroll request.
How does employee self-service reduce W-2 fraud risk?: It removes the request the scam depends on. When every employee retrieves their own W-2 from the portal, payroll never needs to assemble or email a bulk list of W-2s — so there is no 'send me everyone's W-2' workflow for an attacker to impersonate. The IRS itself points employers toward handling these requests through an HR portal rather than email.
Is employee tax data protected by HIPAA?: Generally no. HIPAA protects patient health information (PHI). Employee tax and identity data — W-2s, T4s, Social Security or Social Insurance numbers — is governed by other privacy, security and tax-safeguarding obligations. It is still highly sensitive and a frequent fraud target, so it warrants the same core safeguards: least-privilege access, audit logging, encryption, and keeping the data in your environment.
What safeguards most reduce the risk for both data streams?: Four do the heavy lifting: role-scoped least-privilege access (people see only their own data — or, for clinicians, only their own patients), full audit logging of every access, encryption in transit and at rest, and strong identity through your existing single sign-on. Running on-premises adds a fifth: there's no third-party cloud copy to breach.