Health care data breaches are on the rise. As noted by MedPage Today, there were 39 reported health network compromises in March, totaling more than 1.5 million records. This not only surpasses the 31 total events reported in both January and February, but also more than triples the 388,000 records breached in 2017’s first month.
But here’s the thing: With so many records now compromised, packaged and sold on the Dark Web, the sales price to interested actors is falling rapidly. What happens when data supply outpaces criminal demand?
While Security professionals and patients alike lament the lack of effective controls in protecting Health care data, increasing concern hasn’t translated into better defense. In fact, cybercriminals are now so adept at cracking, stealing and selling health care information that Dark Web prices are falling considerably.
Consider the case of a Baltimore-area substance abuse treatment facility. According to CSO Online, the organization experienced a data breach last year that saw more than 43,000 records stolen and posted on the Dark Web. These records included basic information, such as names and phone numbers, along with dates of admission, doctor and counselor assignments, and specific treatment data. Security researchers identified the likely point of entry as a malicious Word file that, in turn, exploited a vulnerable remote desktop protocol (RDP).
As the clinic struggled to identify and notify all affected patients while simultaneously improving its IT security posture, its entire catalog of records was being shopped around the Dark Web at just $300, or less than 1 cent per record.
In effect, it’s a supply-and-demand issue. Until recently, “fullz” — full packages of personally identifiable information (PII) — went for around $7. But as the number of available records skyrocketed, the price dropped to compensate. Now, the average price per record sits between 50 cents and $1.
