4.5 million hospital records were hacked, apparently by a notorious Chinese hacking group. I've been concerned about the security of medical records for years – the issue has been obscured by the huge business breaches like Target, Nieman Marcus, and now Home Depot (Russian hacking teams, usually based in Odessa, Ukraine.)
There's a basic structural problem right now with IT security. There aren't enough security experts to go around, and businesses and institutions often have no clue what they're doing. To secure computer records and networks, especially those that have any link to the internet, requires a lot of expertise and constant up-to-date awareness of threats and types of attacks. Think about all the doctor's offices and hospitals you go to. The small practices in particular are not going to have a clue about IT security – yet they're going to have a lot of sensitive information about you. Psychologists, psychiatrists, drug rehab facilities, etc – they have very sensitive records, but I'd not expect them to do a good job of securing them. If they've got PCs with web access, which they will, and those PCs are on a network with PCs that have your records, there's your vector. (And it will often be the same PCs...)
I think it's best to assume our records are compromised. It's much easier to breach a medical practice than to breach Target. I think it's probably wise to extrapolate from all the breaches you hear about and assume there are a lot more. Security experts say this all the time.
This means you might want to think about what you disclose when you complete all the forms these various places require. It might be wise to just tell a doctor or other professional something you think might be important about your medical history instead of putting it down on a form (though it still might end up in your file because they take notes and so forth – ultimately our medical records are going to have to be populated with medical information.) And when you're visiting unrelated practitioners, you don't need to disclose everything about your medical history, even though the forms ask for it – for example, if you're seeing a physical therapist for a bad knee, maybe you don't need to document your colon cancer or drinking habits, even though their intake forms ask about that kind of stuff (the forms are often boilerplate – they're not necessarily designed for the needs of the practice that uses them.)
José L. Duarte
Social Psychology, Scientific Validity, and Research Methods.