Thought Leadership
Healthcare data has emerged as one of the most valuable commodities in the digital underground, according to new research by cybersecurity experts at Trend Micro.
The study, conducted by Trend Micro’s cybersecurity division, reveals a highly organized black market built around stolen patient information. The findings show that medical data is no longer just being stolen in isolated incidents, but is systematically traded, resold, and repurposed for a wide range of criminal activities.
Healthcare data remains highly lucrative
Over a 12-month period, researchers analyzed thousands of listings across underground forums, illicit marketplaces, and ransomware leak sites. The results confirm that healthcare data continues to rank among the most in-demand assets in the cybercrime ecosystem.
The reason lies in its permanence and sensitivity. Unlike credit card data, which can be quickly blocked and replaced, medical records cannot be changed. Diagnoses, treatment histories, and biometric information retain long-term value, making them ideal for fraud, extortion, and identity theft over many years.
Ransomware fuels the patient data economy
Ransomware groups play a central role in this expanding underground market. According to the findings, more than one third of all observed listings were directly linked to ransomware-related data leaks.
Modern ransomware operations have evolved beyond simple encryption attacks. Threat actors increasingly combine data theft with extortion, significantly increasing pressure on victims. Providers of electronic health records are especially targeted, as a single breach can impact multiple downstream hospitals, clinics, and healthcare providers simultaneously.
Cybercrime becomes increasingly industrialized
The report also highlights the growing professionalization of cyberattacks targeting the healthcare sector. A full supply chain has emerged around stolen medical data.
A key role is played by so-called initial access brokers. These specialized actors gain unauthorized access to hospital or healthcare provider networks and then sell that access to other criminals, including ransomware operators and fraud groups. This division of labor significantly lowers the technical barrier to launching attacks.
In addition to access credentials, underground platforms now also trade complete identity packages, insurance records, and even forged medical documents.
Stolen data is monetized multiple times
Cybercriminals are not limited to selling full datasets. Instead, they increasingly monetize stolen information in multiple ways, including insurance fraud, fake medical certificates or prescriptions, and the takeover of patient and staff accounts.
Mayra Rosario, Senior Threat Researcher at TrendAI, explains:
“Healthcare data has evolved from stolen information into an asset that cybercriminals can exploit long-term.”
This persistence makes medical data particularly attractive to attackers.
Software supply chains emerge as a critical risk
Beyond direct attacks on healthcare providers, researchers warn of a growing focus on software vendors and platform operators. If these central service providers are compromised, attackers can scale their reach dramatically, impacting large numbers of organizations at once.
Securing digital supply chains is therefore becoming a key pillar of cybersecurity in healthcare environments.
Hundreds of medical systems exposed online
The study also examined publicly accessible DICOM systems used globally to exchange medical imaging data such as MRI, CT, and X-ray scans. Researchers identified 3,627 openly accessible systems across more than 100 countries.
Germany ranked fifth globally, with 138 exposed DICOM servers.
Despite the DICOM standard supporting encryption and authentication for years, these protections are often not enabled. According to the researchers, nearly all discovered systems lacked effective authentication, and only a minimal fraction used TLS encryption.
The implications go far beyond privacy violations. Attackers could extract or manipulate medical imaging data, inject malware, and move laterally within hospital networks.
Healthcare data as cybercrime currency
Healthcare data has firmly established itself as a core currency in cybercrime markets. At the same time, pressure is mounting on hospitals, healthcare providers, and software vendors to strengthen defenses and better protect sensitive patient information and critical infrastructure.
(pd/TrendAI)
