Lists containing personal information related to around 103,000 people, including public health insurance card numbers, have been leaked, with some of the information sold off in what could be Japan’s largest ever case of data theft.

An official at the Health, Labor and Welfare Ministry said lists compiled by hospitals and pharmacies may have been leaked, and that the ministry has begun an investigation.

The revelation comes amid growing concern over the government’s handling of personal information ahead of the start next month of the My Number social security and tax number scheme, in which 12-digit ID numbers have been allocated to all residents of Japan.

“It is highly likely that they have leaked from multiple medical institutions,” said Harumichi Yuasa, a professor at the Institute of Information Security, adding a data leak of this magnitude involving medical information is unprecedented.

An official with a list brokerage firm that obtained some of the personal information said it had acquired the data from another broker in December 2008, and sold some of the information despite being surprised at how sensitive it was.

Health insurance cards, which can be used for identification purposes to open bank accounts and apply for credit cards, could be reissued by just providing card numbers, names and addresses, raising concerns the information could be used to commit fraud.

The leaked data included information on people in 46 of the 47 prefectures, largely in the western Kinki and Shikoku regions.

The records of about 37,000 people, the largest number, were exposed in Osaka Prefecture, followed by some 25,000 in Nara Prefecture and about 24,000 in Shiga Prefecture.

Kyodo News was able to obtain copies of the lists and confirm the accuracy of the names, addresses, birthdays and phone numbers of 44 people from 27 households who agreed to be interviewed. The public health insurance card numbers for 11 of them were also up to date.

It is believed the leaked data also included statements detailing health expenses and other records handled by medical institutions.

Following a massive customer data theft from Benesse Holdings Inc. in 2014, which affected at least 28.95 million customers, many institutions, including hospitals and other medical organizations, enhanced their security measures.

However, Hiroshi Fukatsu, head of the Aichi Medical University’s medical information division, said system maintenance service companies can easily steal such information through online methods, even from outside hospitals. “Anyone who knows how to do it can also delete the login history,” he added.

Since 2001, the government has encouraged the use of information technology to manage medical records as a way to improve work efficiency and cut costs. It also plans to let medical institutions share medical information under the new My Number system.

“Information such as the medical history is very sensitive and should be handled with utmost care,” Fukatsu warned.

“I used to think about it as somebody else’s problem,” said a 47-year-old woman from Otsu, Shiga Prefecture, whose information, as well as that of her relatives, had been leaked. “I had never felt the information was misused, but (knowing the data has been leaked) makes you feel uncomfortable.”

A 49-year-old taxi driver from the city of Osaka said the health insurance number he used over 10 years ago was leaked. He is now concerned a similar thing might happen when the My Number scheme begins.

The government says not all personal information will be exposed, even if the personal number is leaked. Still, the public remains largely skeptical and unconvinced.

A 52-year-old unemployed man also from Osaka said the My Number system is at risk of a leak. He added that he has no intention of applying for the identification card carrying his individual number because his personal information might get stolen.

“I am going to give my personal number to my employer but this news has frightened me,” a 67-year-old female part-time worker from Osaka also said