Doctor Working At Office Desk

Security Experts: Health Data Increasingly Being Sold on Black Market

Consumer health data are increasingly being sold on the black market as health care organizations become popular targets for hackers, NPR’s “all tech considered” reports.


According to Symantec, a security firm, health care companies experienced a 72% increase in cyberattacks between 2013 and 2014. There have been more than 270 public disclosures of large health data breaches — which firms are required to disclose — over the past two years, according to “all tech considered.”

Black Market for Health Data

Meanwhile, health data have increasingly been appearing on the black market, with such information often being more costly to purchase than certain financial data. While stolen credit card numbers tend to be sold for a few dollars or even quarters, a set of Medicare ID numbers for 10 beneficiaries found online by Greg Virign, CEO of the security company RedJack, was being sold for 22 bitcoins, or about $4,700.

Stolen health information available for purchase cannot be found through simple Google searches, and websites offering such data tend to have names that end with .su and .so, as opposed to .com or .org. Some sites for criminal sales feature online rating systems, similar to Yelp, that let the buyer know if the seller is “legit.”

Insufficient Cybersecurity Measures

Meanwhile, security experts say that the cybersecurity measures put in place by health care organizations are not sufficient to adequately combat cyberattacks.

According to “all tech considered,” companies that are subject to HIPAA tend to interpret HIPAA rules loosely.

Jeanie Larson, an expert on health care security, noted that many health care organizations “do not encrypt data within … their own networks.”

In addition, Orion Hindawi — co-founder and chief technical officer at Tanium, a computer network monitoring company — said that some health care organizations are not aware of how large their networks are, including how many computers they have.

The National Healthcare and Public Health Information Sharing and Analysis Center, an industry group Larson is a part of, is pushing for hospitals to invest in cybersecurity to a similar degree as banks. She said, “The financial sector has done a lot with automating and creating fraud detection type technologies, and the health care industry’s just not there” (Shahani, “all tech considered,” NPR, 2/13).