The number of reported U.S. data breaches hit an all-time high in 2016, thanks in part to new CEO phishing hacks that send phony emails to employees requesting sensitive business data.

Researchers from the Identity Theft Resource Center and data-security provider CyberScout scoured federal and state government records from 2016 and estimated a total of 1,093 breaches occurred last year. The record-high represents a 40% hike in the number of incidents over the previous period.

Experts are unsure whether the 2016 spike was caused by a surge of actual breaches, an uptick in incident reporting, or some combination of both.

“For the past 10 years, the ITRC has been aware of the under-reporting of data breach incidents on the national level and the need for more state or federal agencies to make breach notifications more publicly available,” said ITRC president and CEO Eva Velasquez. “This year we have seen a number of states take this step by making data breach notifications public on their websites.”

The center defines a data breach as an incident that puts personal information at risk, like exposing an individual’s name combined with a Social Security number, driver’s license number, or medical records. For the eighth consecutive year, hacking and phishing attacks were the leading cause of breaches.

In fact, hacking breaches skyrocketed in 2016. The 607 breaches represent an increase of almost 18 percentage points over the prior-year period. An estimated 26 million personal records were exposed after hacking breaches.

All other attacks types of data breaches, for example thefts from company insiders, attacks on third-party vendors, and incidents of employee negligence, declined.

With the increases in hacking and phishing, the number of CEO spear-phishing breaches also rose. Known as business email compromise schemes, these attacks lure executives into exposing highly sensitive information, like state and federal tax filing data, through the use of phony emails.

“For businesses of all sizes, data breaches hit close to home, thanks to a significant rise in CEO spear phishing and ransomware attacks,” said Matt Cullina, chief executive of CyberScout. “With the click of a mouse by a naïve employee, companies lose control over their customer, employee, and business data.”

The 2016 ITRC report began tracking breaches in 2005 and compiled the breaches into five industry sectors. Both the business and the health-care sectors continue to see steady rises in the number of incidents over the past decade, now representing almost 80% of total incidents. The education, government, and banking sectors have each experienced overall declines over the same period.

With 494 reported incidents, the business sector topped the list for the second consecutive year. The ITRC estimates more than 5 million records have been exposed after hacking breaches in this sector alone.

On the other hand, the health-care sector has slowed the data-breach bleeding perhaps by reinforcing its networks in recent years. The 377 incidents make the healthcare sector the second most breached sector, but represent a steady decline in activity in the sector over the past three years.

The education, government, and banking sector sustained only 222 incidents combined, representing just over 20% of total breaches.