When a hospital’s systems are brought down by ransomware, the immediate crisis is operational. Surgeries delayed, ambulances diverted, clinicians locked out of records. That part makes the news. What receives far less attention is what happens to the data that was stolen before the encryption even started, and where it ends up in the weeks and months that follow.
TrendAI’s latest research into the cybercriminal underground tracked over 21,000 dark web marketplace listings and 7,779 forum posts across 163 underground communities over 12 months. The picture that emerges is not one of scattered, opportunistic theft. It is a functioning economy with pricing tiers, specialist intermediaries, and a global customer base operating in eight or more languages.
Healthcare data sits at the top of that economy for a reason that should concern every provider and pharmaceutical organisation: medical records do not expire. A stolen credit card gets cancelled. A compromised password gets reset. But a patient’s diagnosis history, prescription records, mental health notes, surgical details, and biometric data cannot be revoked or reissued. That permanence is what makes healthcare data uniquely valuable to criminals, and uniquely dangerous for patients.
The patient safety dimension
The conversation about healthcare cybercrime too often stops at operational disruption and financial loss. It shouldn’t. Stolen medical records enable targeted extortion using sensitive diagnoses. They enable medical identity theft, where someone obtains treatment under another person’s identity, corrupting the victim’s records with incorrect blood types, allergies, or medication histories. The downstream clinical risk is real and largely unquantified.
Complete identity packages enriched with medical data (known in underground markets as “medical fullz”) command a per-record premium over standard financial identity packages. A typical medical fullz includes name, date of birth, diagnosis codes, insurance policy and claim numbers, prescription histories, and employer details. That depth of information enables insurance fraud, prescription fraud, and identity theft simultaneously from a single record.
The fake documentation market adds another layer. Fraudulent doctor’s notes, disability certifications, and sick-leave paperwork are widely traded, with prices starting at US$25. While concentrated in Latin American forums, demand is emerging from the US and China. For healthcare systems already contending with prescription fraud and benefit abuse, this is an expanding front.
How the underground economy actually works
The mechanics matter because they explain the speed and scale of what providers are now facing. Healthcare cybercrime no longer requires a sophisticated attacker running the entire operation end to end. The underground has segmented into specialists.
Initial access brokers find and exploit vulnerabilities in healthcare networks, then sell entry points. Our research, for example, found access to an Israeli dental imaging clinic listed at US$100 and VPN access to a Canadian EMR software company at US$400. Those access points feed into ransomware-as-a-service operations. Dedicated marketplaces then handle the downstream sale of whatever data is extracted. Credential sales alone account for 8.2% of underground healthcare marketplace activity, typically sourced from infostealer malware and combo-list compilations targeting EHR platforms, hospital portals, and healthcare SaaS applications.
This segmentation means a low-skilled actor can buy only the component they need. The barrier to entry has dropped considerably, and the volume of attacks has risen with it.
The vendor problem
Perhaps the most consequential finding for the broader healthcare ecosystem is the targeting of EHR and EMR software vendors as attack vectors. Compromising a single vendor can expose patient data from dozens or hundreds of downstream practices in one intrusion. This is not a theoretical risk. Our research, for instance, documented active trading of access to healthcare technology platforms, with mid-tier datasets from such vendors commanding US$1,000 to US$8,000 on underground markets.
For pharmaceutical companies, contract research organisations, and anyone connected to clinical data flows, this creates a dependency risk that internal security controls alone cannot address. Your own defences might be robust. The question is whether the same is true of every system and vendor your operations depend on.
A global, multilingual marketplace
The underground healthcare data market is not confined to English-speaking forums. English dominates at 63.3% of marketplace activity, but Turkish-language communities account for 13.9% and Portuguese-speaking forums (likely Brazilian) represent 11.2%. Russian forums, traditionally associated with cybercrime, contribute only 3% of healthcare-specific trading, though Russian-language actors dominate the fullz and identity fraud segments, specifically.
Regional specialisation is pronounced. Turkish actors distribute EHR breach data. German-language markets focus on prescription pharmaceutical sales. Arabic-language listings emerge from Middle Eastern healthcare system breaches. This geographic diversity complicates attribution and means that no single region’s law enforcement effort can contain the problem alone.
Concentration at the top
Ransomware leak activity tells its own story. For example, across 95 ransomware operator blogs, we identified 7,610 healthcare-related leak posts. Two groups, Rhysida and Interlock, account for 68.5% of all published healthcare data between them. That concentration is both a warning and, arguably, an opportunity. Disrupting even a small number of the most prolific operators could meaningfully reduce the flow of healthcare data into underground markets.
What this demands from the sector
The healthcare data economy is structured, global, and self-sustaining. Defending against it requires a shift from treating breaches as isolated incidents towards understanding the full lifecycle of how patient data is stolen, packaged, resold, and reused across successive criminal channels.
That means continuous monitoring of third-party and vendor risk, not annual assessments. It means treating the reuse lifecycle of exposed medical records as a first-order patient safety concern, not a downstream compliance issue. And it means accepting an uncomfortable truth: in this economy, a single breach does not end when the ransom is paid or the systems are restored. The data continues generating value for criminals long after the headlines have moved on.
About the author

Jonathan Lee is Trend AI’s director of cyber strategy and has 27+ years of experience in UK cyber.
Source: Original Article


































