The black market value of stolen medical records dropped dramatically this year, and criminals shifted their efforts from stealing data to spreading ransomware, according to a report released this morning.
Hackers are now offering stolen records at between $1.50 and $10 each, said Anthony James, CMO at San Mateo, Calif.-based security firm TrapX, the company that produced the report.
That's a big drop from 2012, when the World Privacy Forum put the street value of medical records at around $50 each. That's because the average profit per record was about $20,000. The information in medical records can be used for medical billing fraud as well as identity theft and other big-money scams. But the market has become saturated, said James. With about 112 million records stolen in 2015 alone, the medical info of nearly half all Americans is already out there.
For example, this past summer, a hacker offered nearly half a million records from several hacked databases, at an average of around $1 per record, and another 9 million records for less than 10 cents each. Plus, 2015's megabreaches, like the Anthem loss of about 80 million records, was a big wake-up call.
"2015 was obviously a year where cybersecurity came to the forefront for the health care industry," he said. The combination of a bigger focus on cybersecurity and a falling rate of return for stolen records contributed to a large drop in the volume of losses this year. Although the number of organizations breached went up, from 57 last year to 93 this year, the total number of records lost fell by nearly 90 percent to just 12 million records.
TrapX looked at breaches reported to the Department of Health and Human Services, after filtering out all non-hacking-related breaches such as stolen laptops. All breaches of 500 records or more must be reported, James said, though companies have six months in which to make the reports. So the final tally for 2016 could be higher, he said.
Last year's avalanche of awful breach news also woke up health insurance providers and other organizations likely to be targeted by scammers, so they're now more on alert. "Organizations are taking steps to shore up cybersecurity," James said. With the falling rate of return for stolen records, scammers have turned to other types of attacks, instead.
"That's why ransomware has started to increase," he said. "That's where they're getting their money now." One benefit of ransomware, for the attacker at least, is that the payoff is immediate, he said. There's no need to figure out how to monetize the stolen data. Criminals will continue to escalate ransomware campaigns in 2017, James predicted. Attacks on connected devices will also increase at a higher rate than in previous years.
