From a recent POLITICO Article:
America’s medical records systems are flirting with disaster, say the experts who monitor crime in cyberspace. A hack that exposes the medical and financial records of hundreds of thousands of patients is coming, they say — it’s only a matter of when.
As health data become increasingly digital and the use of electronic health records booms, thieves see patient records in a vulnerable health care system as attractive bait, according to experts interviewed by POLITICO. On the black market, a full identity profile contained in a single record can bring as much as $500.
The issue has yet to capture attention on Capitol Hill, which has been slow to act on cybersecurity legislation.
The full POLITICO Article can be read here.
Information Governance-101 
Yes, these types of records are ripe for theft, and are being stolen all the time. Breaches of Protected Health Information (PHI) will continue to happen until both Covered Entities and Business Associates get serious about putting in place the necessary controls for ensuring the safety and security of PHI. It means developing comprehensive HIPAA policies and procedures, undertaking annual security awareness training and risk assessments, and many other critical activities. Sure, budgets are tight and margins are thin in today’s competitive business landscape, but what business do you have if PHI is breached and seriously compromised? I think most companies truly want to do all they can in protecting PHI and becoming HIPAA compliant, but it just seems overwhelming at first because of the massive amount of policies, procedures, and processes that need to be in place. My advice; take a deep breath, find an experienced HIPAA consultant, get a hold of some quality HIPAA policy templates and begin the process. You’ll get there!