The personal health information of patients in the United States is not safe, and it needs to be. The vulnerability of health data is clear from the research letter by Liu and colleagues1 in this issue of JAMA. Organizations for which the management of health information is regulated under the Health Insurance Portability and Accountability Act (HIPAA), which are so-called covered entities, must promptly report data breaches affecting more than 500 individuals to the US Department of Health and Human Services. Examining these reports for 2010 through 2013, the authors found 949 events affecting 29.1 million records, with increasing numbers of breaches over time. Two-thirds of data breaches involved electronic data, almost three-fifths theft, and nearly 10% (in 2013) hacking.