For a period of twelve months, TrendAI researchers analyzed 7,779 posts in underground forums, 21,813 marketplace listings, and 95 ransomware leak sites related to cybercrime in the healthcare sector. The results show that health data continues to be among the most coveted commodities traded in the criminal underground. Its persistence, sensitivity, and the possibility to use it for various forms of fraud and extortion make it particularly attractive to criminals.
Ransomware as the Engine of Underground Trade
Data sales from ransomware incidents accounted for more than a third (36.3 percent) of the total marketplace activity. Ransomware actors increasingly combine encryption with data theft and extortion. Additionally, the researchers identified a growing target on electronic health record providers. A single successful attack can then compromise hundreds of downstream healthcare facilities.
The report also highlights that cybercriminals are no longer limited to selling complete data sets. Health data is increasingly traded on underground marketplaces as a basis for identity theft, insurance fraud, fake certificates and prescriptions, and the takeover of patient and employee accounts. As a result, stolen data sets can be monetized multiple times over the years.
"Health data has evolved from stolen information to assets that cybercriminals can use in the long term," explains Mayra Rosario, Senior Threat Researcher at TrendAI. "Unlike a credit card, diagnoses, treatment histories, or a patient's biometric data cannot simply be blocked and reissued, making them particularly attractive to ransomware groups and data brokers."
From Lone Actor to Criminal Supply Chain
The study also illuminates the ongoing industrialization of cybercrime in the healthcare sector: underground marketplaces now offer a wide range — from access data to hospital networks and insurance data to complete identity packages and fake medical documents.
The role of so-called initial access brokers is growing particularly strongly. These specialized actors gain access to networks of hospitals, clinics, or healthcare providers and then sell them on to ransomware groups or other cybercriminals. The division of labor lowers entry barriers for attackers and accelerates the commercialization of attacks on healthcare facilities.
"What we are observing are not isolated incidents but a sophisticated underground economy specifically built around cyberattacks on the healthcare sector," says Dirk Arendt, Director Government, Public and Healthcare DACH at TrendAI. "Current incidents in Germany and worldwide vividly demonstrate how much patient data is the focus of cybercriminals and must be better protected."
Software Providers as Entry Gateway: Risk with a Multiplier Effect
The study also warns that supply chain compromises via software providers and medical platforms are becoming a central risk amplifier for the entire sector. They enable attackers to scale their operations far beyond individual hospitals or clinics.
Worldwide Unprotected Systems for Medical Imaging
Concurrently, TrendAI researchers identified significant risks with internet-connected medical imaging systems. A separate investigation found 3,627 publicly accessible DICOM servers in more than 100 countries. DICOM (Digital Imaging and Communications in Medicine) is the central standard for exchanging medical imaging data such as MRI, CT, or X-ray images.
It turned out to be particularly critical that although DICOM has supported security mechanisms like encryption, authentication, and access controls for decades, they are rarely used in practice. Only 0.14 percent of the identified systems used the intended TLS encryption, while 99.56 percent accepted connections without effective authentication check. The report warns that attackers could thereby spy on patient data, manipulate medical images, infiltrate ransomware, or move laterally within hospital networks.
Further Information
The full report 'The Cybercriminal Underground: Mapping the Healthcare Data Economy' can be found here: https://www.trendaisecurity.com/de/resources- insights/research/the-cybercriminal-underground-mapping-the-healthcare-data-economy
The full report 'Exposed DICOM Servers and the Risk to Patient Data' can be found here: https://www.trendmicro.com/vinfo/de/security/news/cybercrime-and-digital-threats/a-hidden- vulnerability-in-healthcare-exposed-dicom-servers-and-the-risk-to-patient-data
Press Office
TrendAI™
c/o BRAND AFFAIRS AG
Mischa Keller
MSc Business Administration Partner
Phone: +41 44 254 80 00
Email: trendmicro-media@brandaffairs.ch
Mühlebachstrasse 8
8008 Zurich
Switzerland