You may not care if a stranger learns that you spent a night in the hospital following knee surgery, but some of your health-care information is much more sensitive. There’s no getting around the fact that breaches, often at the hands of hackers who mine websites for personal data, do occur. But just how widespread are these privacy violations when it comes to personal health information—and who exactly is responsible for them?

To answer these questions, a team of researchers from Michigan State University (MSU) and Johns Hopkins University took a deep dive into health-care records from around the country—and uncovered some surprising facts.

First, the researchers set out to determine just how many patient data leaks had occurred. In their analysis of records from 216 hospitals from 2009 to 2016, they discovered a total of 257 data breaches in patient information with 33 hospitals experiencing more than one substantial breach. More than 20,000 individuals’ records were compromised in 24 hospitals.

The researchers then got busy with a detailed follow-up analysis to uncover what causes security glitches. They reviewed almost 1,200 breaches, which affected the private health information of more than 164 million patients.

Don’t blame the hackers! In this latest research, which was published in JAMA Internal Medicine, the researchers examined breaches not only occurring in hospitals, but also other places where personal health records are handled, such as doctors’ offices and insurance companies. Surprisingly, 53% of the medical data privacy breaches originated from within the health-care system—they were not caused by hackers or other outside factors. Among the breaches that were caused by external factors, theft (in which medical records or devices with medical records were stolen and typically reported to the police) accounted for 33%—and hacking only 12%.

Sloppy internal privacy systems were the biggest culprit. This could be an employee taking personal health information home or forwarding it to a personal account or device, accessing data without authorization or even through e-mail mistakes, such as sending to the wrong recipients or sharing unencrypted content.

“Hospitals, doctors’ offices, insurance companies, small physician offices and even pharmacies are making these kinds of errors and putting patients at risk,” explained John (Xuefeng) Jiang, PhD, lead author of the research and associate professor of accounting and information systems at MSU’s Eli Broad College of Business.

Why this matters: The consequences of a personal data breach can be far-reaching. There’s the possibility for embarrassment (maybe you’ve had cosmetic surgery that you’d prefer to keep private)…and serious financial consequences—identity theft can empty your bank account, destroy your credit and prevent you from obtaining a loan.

In 2015, for example, insurance giant Anthem, Inc., experienced a data breach and 37.5 million health-care records were exposed. The company did not immediately make the news of the breach public, so many of the people whose data was compromised found out only at tax time…when they learned that the data obtained from Anthem had already been used by a fraudster to file their taxes.

What you can do: You can’t change your health-care providers’ security software, but you can inquire about their privacy procedures to determine whether you trust the systems they use. Ask these questions anytime you share your medical and personal information with your doctor’s office, a hospital, insurance company or other health-care provider…

  • Do you use digital (instead of paper) medical records? Are the electronic files encrypted and stored safely?
  • Do you verify all e-mail addresses before sending medical information?
  • Do you have a notification system in place to immediately alert patients of any information breach?

If the answer to any of these questions is “no,” it’s worth a discussion with the office manager…and if you’re still not satisfied that your health records are sufficiently protected, it may be time to change your health-care or insurance provider.