For John Kuhn, a routine visit to a hospital in Michigan turned into a $20,000 bill for surgery that he never actually received.

Kuhn, who works as a senior threat researcher at IBM, later learned from the hospital that staff had lost a hard drive filled with patient data, including his own record. Kuhn eventually had to prove to the hospital that it was a case of identity theft by pulling up his shirt to show that he didn’t have any post-surgical scars.

Kuhn’s case might seem like a nightmare, but he’s far from alone. More than 113 million medical records were hacked in 2015 alone, according to data compiled by the Health and Human Services. A newly released report from the Institute for Critical Infrastructure Technology, a cybersecurity think tank, found that some 47% of Americans have had their medical record hacked in the past 12 months. As cardiologist and author Eric Topol points out, the majority of patients haven’t ever accessed their medical record before that happens.

But why are medical records now such a hot commodity for hackers and thieves?

Late last week, IBM’s security team took me on a supervised tour of the dark web, which is used by those who want to better hide their identity through Tor and other encryption tools. Many journalists, researchers, and activists leverage the dark web to mask their identity, or that of their sources. But the dark web or darknet also houses illicit erotica, weapons, and more. It was also the former home of Silk Road, an online black market for illegal drugs.

On the dark web, medical records draw a far higher price than credit cards. Hackers are well aware that it’s simple enough to cancel a credit card, but to change a social security number is no easy feat. Banks have taken some major steps to crack down on identity theft. But hospitals, which have only transitioned en masse from paper-based to digital systems in the past decade, have far fewer security protections in place.

On the dark web, complete medical records typically contain an individual’s name, birthdate, social security number, and medical information. These records can sell for as much as (the bitcoin equivalent) of $60 apiece, whereas social security numbers are a mere $15. Stolen credit cards sell for just $1 to $3. During the tour, we spotted one hacker who claimed to have a treasure trove of just shy of 1 million full health records up for grabs.