Sure, that's the definition of PHI but is ESHYFT a HIPAA covered entity? If not then the definition of PHI isn't legally relevant (although they still have an ethical requirement to secure employee data, and might have violated other data protection laws).

https://www.hhs.gov/hipaa/for-professionals/covered-entities...