Government data should be secure, right? Think again. A new study has discovered 443 breaches involving 168,962,628 records in the past 4.5 years.
These figures include database breaches, as well as electronic and paper breaches, according to findings by technology research website Comparitech, which analyzed government data breaches since 2014, using reports by the Identity Theft Resource Center.
Breaches can be extensive—such as a flaw in the U.S. Postal Service network that exposed the account details of 60 million users in 2018—or simple human error, such as mailing information to the wrong address. 2018 was the worst year, with 100 breaches involving 81,505,426 records, according to the study
The agencies that have proven to be the most vulnerable? The U.S. Postal Service and the Office of Personnel Management. The agencies take the top two places in the list of the Top 10 largest breaches by number of records exposed, with 60,000,000 and 21,500,000 records exposed respectively, and both appear twice in that list. The third biggest breach was of the California Secretary of State in 2017, with 19,200,000 records exposed.
But the agencies breached the most frequently? That would be the Department of Health and Veterans Affairs. Health saw 29 cases since 2014, involving 174,547 records, while the VA had 33 cases involving 113,786 records. City networks have also proven to be particularly vulnerable.
Looking at the data on a state-by-state basis, it should not be surprising that Washington, D.C., the home of many government agencies and offices, has had the most data breaches, totaling 37 cases affecting 95,166,900 records. California has the highest total number of cases—57—but less than a third as many records were affected: 24,299,303.
Smaller states are not immune to data breaches though either—and in some cases may see even more people affected. Alabama, for example, has recorded only five cases since 2014, but a notable 1,397,389 records were affected.
Just three states have not had a single data breach in the last several years: Hawaii, Nebraska, and West Virginia, according to the study.
Update: The U.S. Postal Service notes that it “found no adverse impacts on consumers or business customers from the vulnerability in 2018.”
More must-read stories from Fortune:
—What people get wrong about artificial intelligence and China
—Why an EU investigation into Amazon could change the way the e-tailer works
—The trouble with regulating big tech
—Will A.I., blockchain, 5G, and VR give companies a competitive edge?
—Listen to our new audio briefing, Fortune 500 Daily
Follow Fortune on Flipboard to stay up-to-date on the latest news and analysis.
