Over 40 million people in the United States had their personal health information exposed in data breaches this year, a significant jump from 2020 and a continuation of a trend toward more and more health data hacks and leaks.

Health organizations are required to report any health data breaches that impact 500 or more people to the Office for Civil Rights at the Department of Health and Human Services, which makes the breaches public. So far this year, the office has received reports of 578 breaches, according to its database. That’s fewer than the 599 breaches reported in 2020, but last year’s breaches only affected about 26 million people.

Since 2015, hacks or other IT incidents have been the leading reason people have their health records exposed, according to a report from security company Bitglass. Before then, lost or stolen devices led to the most data breaches. The transition coincided with federal rules in the US requiring that healthcare organizations use electronic medical records and the broader switch toward digital tools like internet-connected monitors in healthcare. Medical records are valuable on the black market — they have information that’s harder to change than a credit card and can be used to make fake medical claims or purchase medications.

There are a few ways these types of breaches can harm patients: people can have private information exposed and could have to deal with the financial repercussions of having their medical identity stolen. Hacks and attacks on healthcare institutions that shut down hospital computer systems can make it harder for them to deliver quality care, and that can be harmful to the people treated there. Research shows that more people die in hospitals suffering from data breaches, even those that don’t result in a computer system shutdown.

Many healthcare organizations haven’t prioritized investment in cybersecurity, even as the risk of cyberattacks continues to go up. The biggest breach in 2021, for instance, was from a cyberattack of the Florida Healthy Kids Corporation health plan, which exposed the information of 3.5 million people. An analysis after the attack found that the plan’s website had “significant vulnerabilities,” according to Health News Florida.

Experts say, though, that the spikes in attacks over 2020 and 2021 — particularly in ransomware attacks — are pushing organizations to take the threat more seriously.