In practice, hospitals are the guardians of a great deal of healthcare data. Physicians and their staffs are guardians of healthcare data, too—and in both cases, there is a great deal of protected health information (PHI) involved. But hospitals are large institutions with staffs, including health information management (HIM; formerly, “medical records”) professionals, as well as IT professionals. And while individuals who actually do the stealing of data are investigated and brought to justice whenever possible, as the practical guardians of data, hospitals are tasked with protecting it, under HIPAA and other regulations. In certain ways, one could argue the unfairness of the degree to which hospitals are burdened by this mandate for protection, but in practice, there’s no way around holding them accountable for at least a part of the responsibility involved.