I wonder if the HDD the author used to store those bits is also having read errors, which the drive is correcting on the fly.

It's very likely! There's a couple approaches one can take to detect this:

* The rip log generated by EAC includes a CRC of the audio data. I can calculate this independently to ensure the data is the same as what EAC wrote.

* The rip log itself has a checksum that can validate the CRCs are intact.

* I archive my rips in Google Cloud Storage along with a sha256. If my NAS's copy goes bad I can fetch the backup, and validate that it's the original data.

* Store par2 parity information alongside your cloud storage and/or NAS: https://github.com/Parchive/par2cmdline

* Use a file system with strong data checks and repairability, basically meaning, ZFS with a sufficient redundant set up. "zpool scrub" can do wonders, and you can guarantee backups to a different pool are identical to the source.