Retailers like Target and Neiman Marcus have been in the spotlight lately for cyber security breaches but a recent study suggests that your health care provider might be more vulnerable to hacks.

In part, that’s because, our medical records are easy targets because they can increasingly be accessed online, said Barbara Nelson, who is with IronKey, a company that sells encrypted storage devices.

“The healthcare community, especially doctors and nurses, they’re concerned about healing people,” Nelson said. “And it just takes time for these people to change their infrastructure, it’s also expensive.”

Nelson said many healthcare providers still don’t encrypt patient data on laptops or USB sticks, which are often used to transfer files at a hospitals.  

And many providers still give full access to medical records to anybody with a password from doctors to receptionists, said Sam Imandoust, a legal analyst at the non-profit Identity Theft Resource Center.

“And considering the value of these patient records where anywhere they can be anywhere from $50 to $500 apiece,” that can be a big temptation for insiders to sell their passwords to hackers.

Imandoust says hackers mostly mine the data for insurance records, which they use to buy prescription drugs. He says 1 million medical records were reported stolen last year but the number is probably much higher because lots of providers stay mum about hacks.