Dark web: the harmful business of medical data

How much does a Social Security Number cost? How much does a full medical report cost on the dark web?

This article will have a look at the illegal traffic of medical data, some of the most demanded items on the dark web market. Over the past three years, this market has grown quickly; medical data are said to be by far more lucrative than financial data.


How do data end up on the dark web? 


Intrusion and infection

Hackers may exploit systems vulnerabilities or infect systems with malware, especially ransomware to collect data.

Healthcare institutions have reached the top of the list, as targets. In 2016, more than 16 million medical records were stolen in the US. In 2017,  campaigns like Wannacry and NotPetya hit the sector, resulting in major data breaches.


Recent research has shown that 1 out of 4 data breaches is caused by an insider. Last summer, an employee of Buqa was caught selling between 500,000 and 1 million customer medical reports on the dark web.

Data loss

Physical negligences such as lost USB sticks can also bring data to the market.

These malicious actions can hardly be stopped, since medical reports will be posted then sold on the dark web even before any breach is detected.



The dark web market of medical data


The offer consist of a large range of  items, from single information to full reports

Item Price (2017-2018)
Social Security number $0.5-$1
Insurance ID $1
Blood type <0.5$

Complete record: medical history, prescriptions, preferred pharmacy, etc.

Baby data set $300

Complete ID record

Complete Electronic Health Report database $500,000

Prices of medical data are affected by several variables:

  • The number of items available in the package
  • The characteristic of the victim
  • The source of the stolen data
  • The underground reputation of the seller (i.e.The Dark Overlord)

Despite a high rate of demand, prices have dropped since 2016, following the significant increase of the supply after the intensification of major attacks towards healthcare organizations.



What purposes for buyers?


Buying medical data can serve several purposes, mostly financial:

  • ID theft: by stealing one’s identity, a criminal will be able to get access to specific medical equipments or drugs available upon prescription (which can later be resold by the buyer on the black market), to fill fake insurance claims, tax return and access government benefits. Data from individuals with clean history is highly valued to start credits, hence the value of baby IDs.
  • Extortion: Confidential and sensitive medical data can be used to obtain money or force victims to obey through threats.
  • Marketing: there has been cases of legitimate pharmaceutical companies buying this type of data to target customers in need.

Most of the time, victims will not acknowledge the theft as it happens. However, they can be put in damaging situations when using their own ID for usual life events and risk to be refused access to services or suspected of fraudulent activities.


Medical reports contain a large spectrum of valuable information: from social security numbers to medical and work history, from medication habits to disease information. They can therefore be re used in multiple ways with lucrative outcomes for criminals.

The underground market introduced in this article highlights the necessity for healthcare organizations to set cybersecurity and the protection of their patients’ data as a top priority.

Are you part of a healthcare organization? 

Contact our cybersecurity advisor for more information!

Back to overview