Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Lysa Myers
Lysa Myers
Connect Directly
E-Mail vvv

Stolen Medical Data Is Now A Hot Commodity

While credit cards are selling for a dollar or less on the black market, personal health credentials are commanding as much as $10 per patient. Here's why.

This last year has been brutal in terms of breaches involving the theft of credit and debit card data. Oh sure, it’s been tough for retailers, but how has it been for criminals? With such a glut of card data on the carder market, the prices are being gutted. How are thieves supposed to turn a profit in light of this oversupply?

Fear not, gentle reader! There is plenty of valuable data out there for an enterprising miscreant to sell to make the payment on his or her beloved BMW. And it looks like they’ll be coming after your medical data next.

You may be skeptical as to why a criminal would care about knowing when you got your cholesterol checked, or what allergy meds you’re taking. For better or worse, this is not the only information that is stored at your doctor’s office. Besides your name, address, and billing information, the files there also have your social security number, birth date, insurance policy number, and diagnosis codes. While this is useful for basic identity theft, it’s also incredibly lucrative for medical fraud. Criminals can use this data to buy drugs or medical equipment, or to file fraudulent insurance claims.

Credit cards can now go for a dollar or less on the black market, but stolen health credentials may sell for as high as $10 per patient. Since most credit card companies have robust fraud detection (and many people know to check their monthly statements for anomalies), thefts are often spotted relatively quickly. This is not yet so for medical data theft, which means criminals may be able to rack up purchases for months or even years before they are detected.

When criminals decide what kind of data to steal, they’re not moving towards health credentials simply because they’re worth a lot of money on the black market. Opportunity is another major factor because health records today are not exactly guarded like Fort Knox. This makes it relatively easy to break into healthcare facilities’ networks. In fact, for both cultural and practical reasons, hospitals and clinics can be some of the easiest organizations to breach.

A caring culture
From a cultural perspective, healthcare practitioners are most concerned with their patients’ physical well-being. While this is great for your health, it may give rise to an erroneous sense of security in practitioners’ false beliefs that criminals would not attack the infrastructure of people trying to help others. Doctors and nurses may also argue against measures meant to increase security if they divert budget from medical equipment and supplies, or if they feel they might slow them down in an emergency. These are valid concerns, but not mutually exclusive.

(Image: By Flickr user MC4 Army [CC-BY-2.0], via Wikimedia Commons)
(Image: By Flickr user MC4 Army [CC-BY-2.0], via Wikimedia Commons)

I say this because security is important to patients and their health too. Identity theft and medical fraud cause a lot of stress, at the very least. And stress, as we all know, is not good for anyone’s health and well-being.

There are other, practical reasons healthcare facilities may be more at risk. Because many medical devices are meant to last for decades rather than the few years between OS updates, there is quite a lot of medical equipment that still uses Windows XP Embedded. This means those machines may be much easier to breach, unless extra measures are taken to protect them. Once an attacker is inside a network, it may be quick work to reach databases holding patients’ data.

You may be thinking that HIPAA regulation should cover all this, and thus cover medical data. But compliance is not the same thing as security. Organizations may follow the letter of the law to avoid paying fines after a breach, regardless of whether they actually protect assets.

In fact, there has been an increase in medical data breaches. According to the Identity Theft Resource Center, in 2013, 43.8% of breaches were in the health and medical sector versus 34.9% in 2012. According to the Privacy Rights Clearinghouse, this number reached 45% of the total in 2013. While the business sector still represents the largest number of records lost (largely due to mega breaches such as the Target breach), it makes up a significantly smaller percentage of general organizations breached.

It’s always still a good idea to maintain good security on credit and debit cards, but it’s also a good time to become more security-aware of our medical data too. How secure are your medical records and what -- if any -- steps can InfoSec pros take as individuals to keep them out of the hands of criminals? Share your thoughts in the comments.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Strategist
10/14/2014 | 1:41:46 PM
The fun part
of this is that once something gets "posted" to your medical history, there is neither a mechanism to protest it nor to have it removed. It stays with you. And the major insurance companies have access to all of this to determine your rates, and even eligibilty, for various health and life insurance products.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/14/2014 | 2:41:14 PM
Re: The fun part
Several years ago a family member of mine requested a copy of a discharge report after a hospital stay and the report she received was someone else's health record. I would hope that those kinds of mistakes don't happen so much anymore. Am I being naive? 
[email protected],
User Rank: Apprentice
10/14/2014 | 3:13:16 PM
Data Exposures and Butthurt
I spend a lot of time looking for sensitive data. I have found close to 40 different exposures over the last month or so. One thing I find is that some organizations get upset when one of the good members of the security community find something and report it to them. They use terms such as "illegally accessed" or "stole records" when in each case the access was 100% legal. They just happen to not be as competent in protecting their data as they should be.

Yesterday I set out to find another exposure and in less than an hour found medical records with full SSN. Possible 90k plus records exposed at one time or another. After the initial investigation on my part I will inform this company of the exposure (not breach) and cross fingers they won't get upset. This attitude needs to change.
User Rank: Moderator
10/14/2014 | 4:06:11 PM
Re: The fun part
Sadly I think everyone still struggles with how do we properly share information between agencies (healthcare, insurance etc) and at the same time ensure that it is properly protected through technologies such as encryption etc. We can't expect health care practitioners to be responsible for ensuring patients information is protected (their jobs are obviously to focus on providing patient care), so we really need to better enforce controls for security teams involved with these agencies. The downside is that often there is lack of awareness and budget to properly protect these resources. There has to be a better way to create these systems moving forward.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/15/2014 | 9:58:30 AM
Re: The fun part
Ideally, these HIT systems should increase practitioneers' productivity, and free them from the drudgery of records management. But the learning curve is steep and frustrating. And the ROI doesn't happen quick enough, at least from the healthcare employee perspective. 
User Rank: Apprentice
12/2/2014 | 10:21:25 PM
"We can't expect health care practitioners to be responsible for ensuring patients information is protected"


This statement is both false and dangerous. We expect bankers to perform their primary business function AND keep our PII safe. We expect retail establishments to run their business AND protect our data. Why should we expect less from a medical chain or office?

HCPs are the front line in collecting health data. OF COURSE we should expect them to ensure it is protected. If they are not held as part of the responsibility chain, they will do nothing to improve the horrid state of data security in medical practices.


Andrew Clyne


<[email protected]>
User Rank: Apprentice
9/10/2015 | 12:52:58 PM
commodity market
U.S. labor market strengthening; imported inflation weak 
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.