How cybercriminals are industrialising the trade in stolen healthcare data
Inside the underground criminal ecosystem where private information is bought and sold on a global scale.
Steal a credit card number, and the victim cancels it within hours. Steal a patient's medical history, and you own something that never expires. Their diagnoses, prescriptions, mental health records, surgical notes: none of it can be reissued, reset or revoked. That permanence is precisely why healthcare data now commands premium prices across the cybercriminal underground, and why the infrastructure built to trade it has matured into something that looks less like opportunistic hacking and more like a parallel industry.
New TrendAI research, drawn from analysis of 7,779 underground forum posts and 21,813 dark web marketplace listings over 12 months, maps just how far that industrialisation has gone. The findings paint an uncomfortable picture for healthcare providers and for any organisation in the broader care delivery chain.
Ransomware rewrote the economics
Double extortion has become standard operating procedure. Ransomware groups encrypt healthcare systems and simultaneously exfiltrate patient data, threatening to publish or sell it if the ransom goes unpaid. The approach works because it attacks on two fronts at once: operational paralysis and reputational exposure. Healthcare organisations cannot afford prolonged downtime when patient safety is at stake, and that urgency is exactly the leverage attackers exploit.
Ransomware-related data sales now account for over a third of healthcare marketplace transactions. Our research identified 7,610 healthcare-related leak posts spread across 95 distinct ransomware operator blogs. The concentration at the top is stark. Rhysida alone is responsible for 40.4% of all published healthcare data, with Interlock contributing 28.1%. Two groups, 68.5% of the exposure. That imbalance matters because it suggests targeted disruption of even a handful of operators could meaningfully reduce the volume of healthcare data hitting underground markets.
A commodity with a long shelf life
A single medical record is worth considerably more than a stolen financial credential because it enables multiple fraud vectors simultaneously. Insurance fraud, prescription fraud, identity theft, targeted extortion using sensitive diagnoses: all from the same dataset. Medical fullz (complete identity packages enriched with healthcare information) sell at a per-record premium over standard financial fullz for exactly this reason.
Pricing in the underground follows a clear hierarchy. A small clinic's patient database might fetch US$65. A mid-tier dataset from a healthcare technology vendor sits in the US$1,000 to US$8,000 range. At the top, ransomware demands against healthcare organisations reach US$500,000, with implied demands against major hospitals likely extending into the millions.
The supply chain that enables it all
What has changed most dramatically is how accessible healthcare cybercrime has become. The underground now operates as a mature, segmented supply chain. Initial access brokers scan for and exploit vulnerabilities, then sell entry points to healthcare networks for as little as US$100. Those access points feed directly into ransomware-as-a-service operations run by groups like LockBit 5.0, RansomHub and Rhysida. Dedicated marketplaces handle the downstream sale of stolen records, credentials and identity packages. Sellers establish trust through consistent cross-platform presence and verifiable data samples.
Nobody in this chain needs to run the full cycle themselves any more. A low-skilled actor can purchase only the component they need, whether that is initial network access, stolen credentials, ready-made fullz or a ransomware toolkit. The barrier to entry has collapsed, and attack volume has risen accordingly.
When one breach becomes hundreds
A particularly alarming trend is the targeting of EHR and EMR software vendors as supply chain attack vectors. Compromise a single vendor and you gain access to data from dozens or even hundreds of downstream healthcare practices. The impact of one intrusion is amplified far beyond what individual clinic-by-clinic targeting could ever achieve.
This represents a fundamental shift in healthcare cyber risk. Providers can have exemplary internal security and still be exposed through a compromised third party they rely on for core clinical systems. The dependency is structural, and threat actors know it.
An expanding attack surface
The threat is also spreading into areas that have historically attracted less attention. Our research identified the distribution of DICOM medical imaging tools on underground forums alongside healthcare breach activity, suggesting infrastructure is being developed to process and monetise stolen medical imaging data. This extends the threat beyond traditional text-based records into X-rays, MRI scans and CT data.
Meanwhile, a thriving market in fake medical documentation (fraudulent doctor's notes, disability certifications, and sick-leave paperwork) has established itself across Latin American forums, with emerging demand from the U.S. and China. Prices start at US$25. Insurance fraud materials, particularly targeting Medicare and Medicaid, are widely available with databases starting at around US$1,000.
How should providers respond?
The healthcare data economy is no longer a collection of isolated incidents. It is a structured, global, multilingual marketplace operating across 163 forums in eight or more languages, with English, Turkish and Portuguese communities each occupying distinct market segments. Defending against it requires more than strong perimeter security. It requires ecosystem awareness: understanding how patient data is stolen, sold and reused across successive channels, and treating vendor and third-party risk as a continuous operational concern rather than an annual compliance exercise.
Because once a medical record is out, it does not come back. And the people who stole it are already packaging it for the next buyer.
Jonathan Lee is Director of Cyber Strategy at TrendAI well we'll all do that