This is how hackers make money from your stolen medical data

Stolen medical information can sell for up to six times as much as PII, and there are reasons for that.
Written by Charlie Osborne, Contributing Writer

Data breaches have become so common that their impact, at least in many of our minds, has lessened.

When we hear of so-many-millions of accounts compromised, or that the information of countless users of a service has been stolen, the sheer volume of data lost can disguise the individual impact.

When financial information such as bank card numbers and security codes are taken, they can be used to create clone cards for making fraudulent transactions. Social Security numbers, home addresses, full names, dates of birth, and other Personally Identifiable Information (PII) can be utilized in identity theft, but when it comes to medical information, the reasons for theft are not so clear.

Medical data may include past and present health conditions, pharmacy prescriptions, hospital records, insurance details, and online medical account credentials.

In recent years, Singapore's SingHealth, the largest group of healthcare institutions in the country, suffered a data breach which leaked the details of 1.5 million patients -- including Prime Minister Lee Hsien Loong -- Atrium Health's billing provider exposed the information of 2.65 million patients belonging to the company, and only last week, client data belonging to People Inc., New York's non-profit human services agency, was compromised.

According to a new report released by Carbon Black on Wednesday, an examination into current Dark Web offerings when it comes to stolen, leaked, and fake medical data reveals just how hackers are using this information for their own ends.   

The most expensive offering on the market is provider information which can be used to forge a medical background, an alarming prospect given the harm which could be done when someone who hasn't qualified poses as a medical professional.

These include insurance documents, medical diplomas, doctor licenses, and DEA licenses, all of which can be snapped up for roughly $500 per listing. The report says:

"A hacker compromises the corporate network of a healthcare provider to find administrative paperwork that would support a forged doctor's identity. The hacker then sells to a buyer or intermediary (who then sells to the buyer) for a high enough price to ensure a return on investment but low enough to ensure multiple people buy the item. 

The buyer poses as the stolen doctor's identity and submits claims to Medicare or other medical insurance providers for high-end surgeries."

See also: Data breach exposes diagnosis data of 34,000 medical marijuana patients

The cybersecurity firm also found a vast array of forgeries available and for sale. For between $10 and $120 per record, you can buy fake prescriptions, labels, sales receipts, and stolen healthcare cards.

For $3.25 or less, Carbon Black researchers viewed listings for stolen health insurance information which could be used to make fake claims at the cost of the victim.

When it comes to personal health information, of which there are mass dumps for sale online, the company says that these records may be worth up to "three times as much" as standard PII, given their immutability.

TechRepublic: 61% of IT pros have experienced a serious data breach

"Hacked PHI can be used by nation states against individuals who have health issues as a method of extortion or compromise," Carbon Black added.

The report also included a survey based on interviews with a number of CISOs and healthcare organizations. According to the research, 66 percent of organizations said cyberattacks have become more sophisticated over the past year, and aside from data theft, 45 percent of companies said they've encountered attacks which are focused on information destruction in the last 12 months.

CNET: Massive breach leaks 773 million email addresses, 21 million passwords

"In healthcare, prevention often stands to be the best cure," Carbon Black says. "This holds true for both physical and digital health. A person's digital (and often physical) health can be directly tied to the cybersecurity posture of their healthcare providers."

A basic guide to diving in to the dark web

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards