Hackers steal dead people's medical records and sell them on the dark web

Anthony Cuthbertson
Cyber security researchers uncovered medical databases containing the personal details of 140 million patients: Getty Images/iStockphoto

Medical records of deceased patients are appearing on illicit market places on the dark web, cyber security researchers have discovered.

Cyber criminals are advertising huge caches of personal data of up to 140 million patients, with their value exceeding that of stolen credit card details.

The morbid trend follows an increasing amount of incidents of medical data breaches, as reported by Oren Koriat, an analyst at the security firm Cynerio.

"Cynerio is still seeing continued growth in the number of incidents of patient medical record breaches from hacking and unauthorised access to healthcare systems," Mr Koriat wrote.

"Recently, Cynerio has detected an interesting new wrinkle in the sale of stolen medical data on the dark web. Our research team found a post from a vendor on the dark web offering the medical records of the deceased."

The listings are appearing on black markets on the dark web, a section of the internet that has become synonymous with illegal activities due to the proliferation of drug marketplaces like the now defunct Silk Road. Often confused with the deep web – a vast part of the surface web that is not indexed by search online search engines like Google – the dark web requires specialist software tools like the TOR web browser to access.

While medical records being listed on illicit market places is nothing new, the sale of data from recently deceased patients points to cyber criminals exploiting the fact that identity fraud victims will not report suspicious activity if they are dead.

"I have a fresh US medical database including nearly 140 million records," one vendor wrote in a dark web listing. "Each record has the fields: Name, SSN [social security number], address, zip, phone, birthday, sex, insurance.

"There is even a death date for each record if the one is dead, more about 60,000 records have death date [sic]."

The price of the data is listed as $2 per record in batches of 100, going down to $0.60 per record if bought in batches of 1,000.This gives all 140 million records a potential value of $280 million.

Beyond financial fraud, cyber criminals could exploit the healthcare records for other purposes like redirecting medication to different addresses, or request doctors appointments on other people's health plans.

One dark web post, shared by Mr Koriat, explained the potential uses of the data is "only limited to your imagination."