Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Lysa Myers
Lysa Myers
Connect Directly
E-Mail vvv

Stolen Medical Data Is Now A Hot Commodity

While credit cards are selling for a dollar or less on the black market, personal health credentials are commanding as much as $10 per patient. Here's why.

This last year has been brutal in terms of breaches involving the theft of credit and debit card data. Oh sure, it’s been tough for retailers, but how has it been for criminals? With such a glut of card data on the carder market, the prices are being gutted. How are thieves supposed to turn a profit in light of this oversupply?

Fear not, gentle reader! There is plenty of valuable data out there for an enterprising miscreant to sell to make the payment on his or her beloved BMW. And it looks like they’ll be coming after your medical data next.

You may be skeptical as to why a criminal would care about knowing when you got your cholesterol checked, or what allergy meds you’re taking. For better or worse, this is not the only information that is stored at your doctor’s office. Besides your name, address, and billing information, the files there also have your social security number, birth date, insurance policy number, and diagnosis codes. While this is useful for basic identity theft, it’s also incredibly lucrative for medical fraud. Criminals can use this data to buy drugs or medical equipment, or to file fraudulent insurance claims.

Credit cards can now go for a dollar or less on the black market, but stolen health credentials may sell for as high as $10 per patient. Since most credit card companies have robust fraud detection (and many people know to check their monthly statements for anomalies), thefts are often spotted relatively quickly. This is not yet so for medical data theft, which means criminals may be able to rack up purchases for months or even years before they are detected.

When criminals decide what kind of data to steal, they’re not moving towards health credentials simply because they’re worth a lot of money on the black market. Opportunity is another major factor because health records today are not exactly guarded like Fort Knox. This makes it relatively easy to break into healthcare facilities’ networks. In fact, for both cultural and practical reasons, hospitals and clinics can be some of the easiest organizations to breach.

A caring culture
From a cultural perspective, healthcare practitioners are most concerned with their patients’ physical well-being. While this is great for your health, it may give rise to an erroneous sense of security in practitioners’ false beliefs that criminals would not attack the infrastructure of people trying to help others. Doctors and nurses may also argue against measures meant to increase security if they divert budget from medical equipment and supplies, or if they feel they might slow them down in an emergency. These are valid concerns, but not mutually exclusive.

(Image: By Flickr user MC4 Army [CC-BY-2.0], via Wikimedia Commons)
(Image: By Flickr user MC4 Army [CC-BY-2.0], via Wikimedia Commons)

I say this because security is important to patients and their health too. Identity theft and medical fraud cause a lot of stress, at the very least. And stress, as we all know, is not good for anyone’s health and well-being.

There are other, practical reasons healthcare facilities may be more at risk. Because many medical devices are meant to last for decades rather than the few years between OS updates, there is quite a lot of medical equipment that still uses Windows XP Embedded. This means those machines may be much easier to breach, unless extra measures are taken to protect them. Once an attacker is inside a network, it may be quick work to reach databases holding patients’ data.

You may be thinking that HIPAA regulation should cover all this, and thus cover medical data. But compliance is not the same thing as security. Organizations may follow the letter of the law to avoid paying fines after a breach, regardless of whether they actually protect assets.

In fact, there has been an increase in medical data breaches. According to the Identity Theft Resource Center, in 2013, 43.8% of breaches were in the health and medical sector versus 34.9% in 2012. According to the Privacy Rights Clearinghouse, this number reached 45% of the total in 2013. While the business sector still represents the largest number of records lost (largely due to mega breaches such as the Target breach), it makes up a significantly smaller percentage of general organizations breached.

It’s always still a good idea to maintain good security on credit and debit cards, but it’s also a good time to become more security-aware of our medical data too. How secure are your medical records and what -- if any -- steps can InfoSec pros take as individuals to keep them out of the hands of criminals? Share your thoughts in the comments.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/10/2015 | 12:52:58 PM
commodity market
U.S. labor market strengthening; imported inflation weak 
User Rank: Apprentice
12/2/2014 | 10:21:25 PM
"We can't expect health care practitioners to be responsible for ensuring patients information is protected"


This statement is both false and dangerous. We expect bankers to perform their primary business function AND keep our PII safe. We expect retail establishments to run their business AND protect our data. Why should we expect less from a medical chain or office?

HCPs are the front line in collecting health data. OF COURSE we should expect them to ensure it is protected. If they are not held as part of the responsibility chain, they will do nothing to improve the horrid state of data security in medical practices.


Andrew Clyne


<[email protected]>
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/15/2014 | 9:58:30 AM
Re: The fun part
Ideally, these HIT systems should increase practitioneers' productivity, and free them from the drudgery of records management. But the learning curve is steep and frustrating. And the ROI doesn't happen quick enough, at least from the healthcare employee perspective. 
User Rank: Moderator
10/14/2014 | 4:06:11 PM
Re: The fun part
Sadly I think everyone still struggles with how do we properly share information between agencies (healthcare, insurance etc) and at the same time ensure that it is properly protected through technologies such as encryption etc. We can't expect health care practitioners to be responsible for ensuring patients information is protected (their jobs are obviously to focus on providing patient care), so we really need to better enforce controls for security teams involved with these agencies. The downside is that often there is lack of awareness and budget to properly protect these resources. There has to be a better way to create these systems moving forward.
[email protected],
User Rank: Apprentice
10/14/2014 | 3:13:16 PM
Data Exposures and Butthurt
I spend a lot of time looking for sensitive data. I have found close to 40 different exposures over the last month or so. One thing I find is that some organizations get upset when one of the good members of the security community find something and report it to them. They use terms such as "illegally accessed" or "stole records" when in each case the access was 100% legal. They just happen to not be as competent in protecting their data as they should be.

Yesterday I set out to find another exposure and in less than an hour found medical records with full SSN. Possible 90k plus records exposed at one time or another. After the initial investigation on my part I will inform this company of the exposure (not breach) and cross fingers they won't get upset. This attitude needs to change.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/14/2014 | 2:41:14 PM
Re: The fun part
Several years ago a family member of mine requested a copy of a discharge report after a hospital stay and the report she received was someone else's health record. I would hope that those kinds of mistakes don't happen so much anymore. Am I being naive? 
User Rank: Strategist
10/14/2014 | 1:41:46 PM
The fun part
of this is that once something gets "posted" to your medical history, there is neither a mechanism to protest it nor to have it removed. It stays with you. And the major insurance companies have access to all of this to determine your rates, and even eligibilty, for various health and life insurance products.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).