GUEST RESEARCH: New TrendAI™ research uncovers a global underground economy built around stolen patient data, ransomware extortion and healthcare access trading
New research from TrendAI™ reveals that stolen healthcare data is now being traded through a mature underground economy spanning ransomware groups, access brokers, fraud marketplaces and credential sellers.
Over a 12-month period, TrendAI™ researchers analysed 7,779 underground forum posts, 21,813 marketplace listings and 95 ransomware leak sites linked to healthcare-related cybercrime activity. The findings show that healthcare data remains one of the most valuable commodities in the cybercriminal underground due to its permanence, sensitivity and ability to support multiple forms of fraud simultaneously.
The research found ransomware-related data sales accounted for more than a third (36.3%) of marketplace activity, with attackers increasingly combining encryption with data theft and extortion. Researchers also identified growing targeting of electronic health record (EHR) and electronic medical record (EMR) vendors, enabling single breaches to expose hundreds of downstream healthcare organisations.
Andrew Philp, Field CISO ANZ, TrendAI™ warns that supply chain compromises involving healthcare software vendors and medical platforms are becoming a major risk multiplier for the sector, enabling attackers to scale operations far beyond individual hospitals or clinics.
“Patient data is a lucrative target for cybercriminals. Health data is permanent, deeply sensitive and highly reusable, with a single breach creating long-term consequences for individuals, healthcare providers and the wider health ecosystem. The 2024 MediSecure cyber security incident alone saw private data from 12.9 million Australians breached.
“This research reinforces why healthcare providers continue to be under the microscope of regulators. Stolen health data is prime currency within the broader underground economy, fuelling criminal activity and creating a ripple-effect across industry and government – with a significant cost for inaction with multi-million dollar fines handed down for healthcare data breaches in recent years.”
The report also highlights the growing industrialisation of cybercrime targeting healthcare, with underground marketplaces offering everything from hospital network access and insurance data to medical full and fake medical documentation.
“Healthcare data has evolved from stolen information into a long-term criminal asset class,” said Stephen Hilt, Principal Threat Researcher. “Unlike a credit card, a patient’s diagnoses, treatment history or biometric data cannot simply be cancelled and reissued, which makes healthcare organisations uniquely attractive to ransomware groups and data brokers.”
“What we’re seeing is not isolated cybercrime but a mature underground economy built around healthcare,” said Numaan Huq, Senior Threat Researcher. “Initial access brokers, ransomware affiliates, credential sellers and fraud specialists now operate as part of an interconnected supply chain designed to monetise patient data repeatedly and at scale.”
Full report can be found here: https://www.trendaisecurity.com/en-gb/resources-insights/research/the-cybercriminal-underground-mapping-the-healthcare-data-economy
