Security news that informs and inspires

A Buyers’ Market: Healthcare Data in Underground Markets


Stolen healthcare information is valued the highest on criminal forums, often resurfacing for sale after a compromise.

Bundles of personal data records are referred to as fullz on the underground marketplaces by criminals. The data can include names, addresses, phone numbers, social security numbers (SSNs) and date of birth, all of which can be used for medical fraud, impersonation or even extortion.

Some criminals buy specific types of medical records, like those from a certain country. And, as Cynerio researchers recently found, there are criminals selling fullz of children stolen from pediatricians—marketing them as coming from “good families that can provide medical support.”

Along with individuals' PHI and medical records, criminals also sell ways to access hospital networks remotely, such as SMTP server access and remote code execution tools. Hospital networks are comprised of numerous types of devices and systems, from electronic healthcare records systems (EHRs) to connected medical devices that monitor patients to nursing station desktop computers to database servers, etc. Criminals could send malicious phishing emails, targeting patients or other healthcare employees from a hospital domain, as well as potentially unleashing malware on networked hospital machines.

As seen with ransomware infections in the past, malware on the network can spread rapidly, bring critical hospital operations to a standstill, and deny healthcare professionals access to patient records. WannaCry, a global ransomware attack that spread throughout the U.K.'s National Health Service (NHS), affected 80 out of 236 trusts across England. Many hospital employees were locked out of their devices, and other hospitals shut down their email and other systems as a precaution.

The Value of Data

Last year, Trustwave's Value of Data report estimated the mean value of a healthcare record on criminal forums to be $250, while certain healthcare records can sell for as much as $1,000; the most valuable type of personally identifiable information. In comparison, payment card details were valued at $5.40, followed by banking records ($4.12) and access credentials ($0.95).

But healthcare records contain personally identifiable information, insurance and policy numbers, medical diagnoses, social security numbers, billing information and more; the type of data that is harder to cancel and/or recover once stolen. Criminals can use this type of data to file fake insurance claims or tax returns using your identity.

There are criminals selling fullz of children stolen from pediatricians.

Attackers will often spoof email addresses in order to send mass or targeted phishing emails to patients, healthcare employees, and/or vendors. Phishing attacks can lead to stolen usernames and passwords, giving hackers access to EHR systems, servers and databases of sensitive patient data records that can be sold on the black market forums.

Preventing Theft

According email authentication vendor Valimail, 98.3 percent of healthcare companies analyzed were not using Domain-based Message Authentication, Reporting and Conformance (DMARC) with policy enforcement. DMARC is a standard that helps detect and prevent email spoofing-that is, impersonating a trusted individual or organization.

However, it doesn’t protect against similar domain spoofing that uses variations or misspellings of a company’s name to fool users into opening phishing emails or giving away their information to attackers.

The Office for Civil Rights gave healthcare organizations guidance on how to avoid becoming a victim of a phishing attack. Suggestions include verifying messages with the actual sender using a separate channel of communication-such as via phone call or in person-and using multi-factor authentication to reduce the risk of someone logging in with a stolen (phished) password. Keeping systems patched and up to date can help prevent malware infection in the event that a user clicks on a malicious link or attachment. While backing up data regularly won't prevent a phish, it would help with recovery in the case of a ransomware infection. Finally, be cautious with any requests of information from a third-party, even if it appears to be a business associate.