More than 40 million Americans’ medical records have been stolen or exposed so far this year because of security vulnerabilities in electronic healthcare systems, a USA TODAY analysis of Health and Human Services data found.

And the problem is steadily worsening. From 2010 to 2014, the first five years that data was collected, close to 50 million people had their medical data stolen. In the following five years, that number quadrupled. And health privacy breaches have continued to grow on the heels of the COVID-19 pandemic.

Federal law strictly prohibits medical institutions — hospitals, insurance companies and outpatient clinics — from sharing patient information, and requires that companies take steps to shield sensitive data from prying eyes.

More vulnerabilities have emerged as healthcare providers shift their records online and fail to protect legacy systems. Hacking accounts for about half of all security breaches, while about one-third are caused by employee errors, such as lost computers or accidental disclosures, our analysis shows.