Value of stolen medical records less than financial data
- 15 November 2016
A new study into the marketplace for stolen medical records has found that stolen medical records data does not yet eclipse the value of stolen financial services data, which remains far easier to exploit.
Intel Security released its McAfee Labs Health Warning report, which annually assesses the marketplace for stolen health data, concludes that the liquidity of financial data remains more valuable and offers a more certain return on investment to cybercriminals than patient records.
The Intel Security research report says, however, that the development of the market for stolen data and related hacking skills indicate that the “business of cybercrime” in the health care sector is growing. It does not specify whether NHS data is covered by the report.
The report found that the price per record for stolen patient medical records remains lower than financial account records and retail payment account information, despite the increasingly time-sensitive, or perishable, nature of data such as credit and debit card numbers.
The report found stolen medical records available for sale from US$0.03 to $2.42 per record. Comparable stolen financial account records were found to be available for US$14.00 to $25.00
The report says that the most lucrative cybercrime targeting health care industry to data is pharmaceutical, biotech intellectual property.
In recent years, Intel Security has observed the cybercriminal community extend its data theft efforts beyond financial account data to medical records. Although credit and debit card numbers can be canceled and replaced quickly, this is not the case for personal health information (PHI) that does not change.
This “nonperishable” PHI could include family names, mothers’ maiden names, social security or pension numbers, payment card and insurance data, and patient address histories.
This longevity of the value of data has led to speculation that the price per medical record could soon rise to rival or even eclipse that of financial account or payment card data, but Intel Security’s 2016 research says such a move on pricing has not yet occurred.
The research found the average health record price point to be greater than that of basic personally identifiable information, but still less than that of personal financial account data.
The findings suggest financial account data continues to be easier to monetise than personal medical data. Upon stealing a cache of medical records, it is likely cybercriminals must analyse the data, and perhaps cross-reference it with data from other sources before lucrative fraud, theft, extortion, or blackmail opportunities can be identified.
The report also investigated the targeting of biotechnology and pharmaceutical firms for their intellectual property and business confidential information. The researchers suggest that the economic value of such information is considerably higher than targeting the records of individual’s.
The researchers also observed brazen efforts by cybercriminals, through online ads and social media, to recruit into their ranks health care industry insiders with access to valuable information.
“When a well-developed community of cybercriminals targets a less prepared industry such as health care, organisations within that industry tend to play catch-up to protect against yesterday’s threats, and not those of today or tomorrow.”