It is no shocker medical records are a prime target for cybercriminals. But less intuitive is the market for medical records of the deceased on the dark web. We took a closer look at the reason behind this strange trend. Here is what we found.
First off, despite best efforts, stolen medical records – of the living — for sale on black markets remain a huge problem. In fact, Cynerio is still seeing continued growth in the number of incidents of patient medical record breaches from hacking and unauthorized access to healthcare systems.
Meanwhile, as more medical records hit the black market the value of the stolen data declined. The reason is simple, supply and demand. By comparison, medical records are generally significantly higher value than stolen user credit card data.
Recently, Cynerio has detected an interesting new wrinkle in the sale of stolen medical data on the dark web. Our research team found a post from a vendor on the dark web offering the medical records of the deceased. In this dark web listing, the vendor mentions that 60,000 of the stolen medical records available for purchase include individual death dates. (see image below)
It may come as a surprise to think that fraudsters would be interested in purchasing medical records of patients that are already deceased, but there is a reason for this. When it comes to identity theft or running up fraudulent charges there is no better victim than one that can’t file a complaint. If the person whose identity is used for the fraud is deceased, it may go unnoticed for a long time.
According to a past AARP Bulletin, fraudsters attempt to steal the identities of 2.5 million deceased Americans annually in an attempt open credit card accounts, apply for loans, commit tax fraud and obtain expensive mobile phones via carrier contracts.
The above are the most common forms of fraud tied to ID theft of the deceased. But, when it comes to medical records, they are often used in combination with other personal information to conduct even more sophisticated fraudulent transactions.
Besides financial fraud, criminals also use stolen medical information for illegally acquiring medical supplies and obtaining health-insurance. One of the dark web one of our researchers found criminals explaining to a potential customer how they can use a medical ID to get prescribed drugs delivered to them, to order medication and even to book a doctor’s appointment for a check-up.
When it comes to records of the deceased, we know they are particularly attractive to a subset of hackers on the dark web. We are still actively investigating this phenomena – stay tuned.
In the interim, healthcare organizations that collect, store and transfer medical records should be aware of the growing demand for protected health information and the advanced in the threat landscape. It is increasingly important to educate employees about cybersecurity and to develop advanced defenses, especially for older, more vulnerable medical systems.
(Oren is a security researcher for Cynerio, he specializes in threat modeling, malware analysis and the intersection of clinical-engineering and cyber-security.)