Why The Black Market for Unprotected Healthcare Information Continues to Explode
Some things should never be sold, but everything has a price for the wrong people and healthcare data continues to be one of the most profitable commodities in cybercrime.
Over the past several years, healthcare has remained a top target for breaches and ransomware, with incidents driven by a mix of aging systems, complex vendor ecosystems, and the operational reality that hospitals and clinics can’t simply “shut down” when attacked. Now, attackers are also accelerating their playbooks with better automation, more convincing social engineering, and AI-assisted phishing and fraud.
Why Healthcare Data? Why Does it Keep Happening?
Healthcare organizations face a unique combination of high-value data, high operational pressure, and high complexity:
- High-value, high-utility data: Medical and insurance information can be used for long-term identity fraud, financial fraud, and targeted scams. Unlike a credit card, you can’t “cancel and reissue” a medical history.
- Operational urgency: When patient care is on the line, downtime becomes extremely expensive, creating pressure to restore systems quickly and, in some cases, increasing the risk of ransom payment.
- Broad attack surface: EHR systems, connected medical devices, imaging systems, remote access tools, cloud services, and a large network of third-party providers create many ways in.
- Resource constraints: Many providers are still balancing modernization, staffing shortages, and budget limitations—often while maintaining legacy applications that are hard to patch or segment.
- Vendor and supply-chain exposure: Breaches increasingly originate through partners—billing, transcription, claims processing, MSPs, and other service providers with access to sensitive systems and data.
Regulations like HIPAA set important baselines, but compliance alone doesn’t stop modern threats like ransomware-as-a-service, double extortion (encrypt + leak), credential stuffing, and business email compromise.
What Makes Healthcare Records So Valuable on The Black Market?
While the “price per record” can vary dramatically by dataset quality and buyer intent, healthcare information tends to command a premium because it’s both complete and durable. A typical patient record may include many elements criminals want in one package—identity details, contact information, insurance identifiers, billing information, and clinical data.
That completeness makes it useful for fraud that can continue for months (or longer) before a victim realizes what happened.
What Do Cybercriminals Do With Healthcare Information?
The first thing many attackers do is exfiltrate data and then monetize it—either by selling it, using it directly, or using it to pressure organizations during extortion.
- Extortion and “leak threats”: Attackers steal data and threaten to publish it to force payment even if backups exist.
- Medical identity theft: Using patient identities to obtain care, file claims, or access prescriptions.
- Financial fraud: Opening accounts, applying for credit, or passing knowledge-based verification using rich personal data.
- Targeted social engineering: Highly personalized phishing or scam calls using details from records (insurance carrier, provider names, recent procedures) to sound legitimate.
- Account takeover: Using stolen credentials and password reuse to access patient portals, billing systems, or HR/payroll systems tied to healthcare organizations.
Financial Fraud
Although other types of data can be used to drive financial fraud, healthcare data can be “better” in one critical way: it often contains enough personally identifying detail to defeat common verification steps. A stolen card can be flagged quickly; a full identity package can be used to build entirely new fraud accounts that look legitimate.
Medical Identity Theft
A shopping spree is costly, but medical identity theft can be financially and medically devastating. Bad actors may use stolen information to obtain prescriptions, file false insurance claims, or receive services under someone else’s name. Beyond the money, victims can face problems correcting their medical histories—creating risks that follow them into future care.
What Can You Do to Protect Yourself?
Even as healthcare security improves, individuals should take practical steps to reduce risk and limit damage if information is exposed:
- Use a password manager and enable multi-factor authentication (MFA) on patient portals, email, and financial accounts.
- Freeze your credit with the major bureaus if you’re concerned about identity fraud (and unfreeze temporarily when needed).
- Watch for “medical EOB” and billing anomalies: Review explanations of benefits, claims, and provider bills for services you didn’t receive.
- Be skeptical of urgent calls/texts claiming to be from insurers, pharmacies, or providers—verify using official phone numbers.
- Use IdentityTheft.gov if you suspect identity theft, and keep documentation of all actions taken.
For more guidance, visit IdentityTheft.gov and the Federal Trade Commission’s resources on medical identity theft.
What Can Healthcare Organizations Do?
If you’re a business or organization, reducing risk requires both technical controls and operational readiness. Prioritize the fundamentals that stop the most common entry points and reduce blast radius:
- Backups that are tested and isolated: Make sure recovery is real, not theoretical.
- MFA everywhere (especially remote access): Email, VPN, admin tools, EHR access, and vendor access.
- Patch and vulnerability management: Focus first on internet-facing systems, remote access, and known exploited vulnerabilities.
- Network segmentation: Reduce lateral movement between business systems, clinical systems, and critical infrastructure.
- Vendor risk management: Limit access, require strong authentication, monitor activity, and validate security requirements contractually.
- Security awareness that matches modern tactics: Train for phishing, voice scams, and payment diversion—then reinforce with technical controls (DMARC, email filtering, conditional access).
- Incident response planning: Tabletop exercises, clear decision ownership, and tested communications plans—including downtime procedures for patient care.
One compromised team member can be used as leverage to gain entry into the business network, so you want to ensure that your team members are taking precautionary measures, as well.
Applied Tech is Now Part of Heartland Business Systems (HBS)
Now with even more resources, broader capabilities, deeper technical expertise, and continued investment in modern technology, partnering with us for managed IT services gives you access to top-notch technical support that helps your business scale its IT capabilities, boost resilience, and streamline processes. Discover how we can take your organization’s IT to the next level and protect you from the latest cyberthreats making headlines by getting in contact with our team.
About Applied Tech
Applied Tech is a leading IT and cybersecurity services provider dedicated to helping businesses protect their digital assets. Our proactive and strategic services include cloud management, security, productivity, and IT growth strategy. With a team of experienced professionals, we provide unique solutions tailored to your IT needs.
Protect your business with Applied Tech’s fully managed IT services, co-managed support, and security assistance. With IT services focused on your business goals, keep your team productive and your data secure.
This blog was originally posted in November of 2019 and has been updated for accuracy and current trends.
