Why Do Criminals Target Medical Records?
Criminals target medical records because they are valuable, and misuse of medical records is harder to detect than the misuse of other types of personal data, such as credit card information, meaning medical records can be misused for longer than other types of personal data.
Hackers go to great lengths to gain access to healthcare networks. Data compiled by the HIPAA Journal from breach reports submitted to the HHS’ Office for Civil Rights (OCR) show the number of data breaches reported by HIPAA-regulated entities continues to increase every year. In 2021, 715 data breaches affecting 500 or more individuals were reported to OCR – an 11% increase from the previous year. Almost three-quarters of those breaches were classified as hacking/IT incidents. The large increases seen in previous years have leveled off, but data breaches continue to be reported in high numbers, rising to 719 large data breaches in 2022, 746 in 2023, and 742 in 2025. In 2023 and 2024, large healthcare data breaches were reported at twice the rate as in 2018!
Healthcare organizations, especially healthcare providers, are attractive targets for hackers as they store vast amounts of valuable patient data. Large health systems store millions of patient records, and even relatively small healthcare providers may store the records of hundreds of thousands of patients. The stored data is highly detailed, including demographic data, Social Security numbers, financial information, health insurance information, and medical and clinical data, and that information can be easily monetized.
How do Hackers Make Money from Stolen Medical Data?
Healthcare records are so valuable because they can be used to commit a multitude of crimes. Social Security numbers, dates of birth, and demographic data can be used to commit identity theft to obtain loans and credit cards in victims’ names. Healthcare data can be used to impersonate patients to obtain expensive medical services, Medicare and Medicaid benefits, healthcare devices, and prescription medications. Healthcare records also contain the necessary information to allow fraudulent tax returns to be filed to obtain rebates.
In contrast to credit card numbers and other financial information, healthcare data has an incredibly long lifespan and can often be misused for long periods undetected. Credit card companies monitor for fraud and rapidly block cards and accounts if suspicious activity is detected, but misuse of healthcare data is harder to identify and can be misused in many ways before any malicious activity is detected. During that time, criminals can run up huge debts – far more than is usually possible with stolen credit card information.
Stolen data can be used to develop convincing spear phishing, smishing, and vishing campaigns, where the attacker impersonates a hospital or health insurer. Medical records contain highly sensitive information about medical conditions, pregnancies, abortions, and sexual health tests, and that information can easily be used for extortion and blackmail.
Patient data stolen from healthcare organizations is often processed and packaged with other illegally obtained data to create full record sets (fullz) that contain extensive information on individuals, often in intimate detail. These full record sets are often sold on dark websites to other criminals who use the data to obtain documentation such as Social Security cards, driver’s license numbers, and passports. The documentation allows an identity kit to be created, which can then be sold for considerable profit to identity thieves or other criminals to support an extensive range of criminal activities.
Healthcare Data Can be Used as Leverage
Many of the hacking incidents reported by healthcare providers are ransomware attacks. Ransomware is a type of malware that encrypts files to prevent access. The aim of these attacks is to cause massive disruption to business operations. Faced with an inability to operate, businesses are forced to pay the attackers for the keys to decrypt their data. Without access to critical systems, and especially if medical records are encrypted, patient safety is put at risk. Cyber actors perceive attacks on healthcare providers to be more likely to result in ransom payments than attacks on other sectors, where there is lower reliance on data to operate, which is why many ransomware gangs target the healthcare industry.
These attacks prevent access to data, but recovery is possible if backups of critical data have been made. In response, the Maze ransomware gang started exfiltrating data before encrypting files and using the stolen data as leverage to pressure victims into paying the ransom. Threats were issued to publish or sell the data if payment was not made. Since then, data theft has been adopted by most ransomware groups.
Even if data can be recovered from backups, many healthcare organizations feel compelled to pay to prevent the misuse of patient data. It is often the threat of publication or sale of the stolen data that sees ransoms paid due to the damage caused to the organization’s reputation. As such, there has been a growing trend where threat actors skip file encryption and instead conduct data theft and extortion attacks. Data theft and extortion attacks are quieter, quicker, and require less effort, allowing more organizations to be attacked. In 2025, a threat group called PEAR (Pure Extortion And Ransom) emerged that exclusively uses this tactic. The group has disproportionately attacked the healthcare sector.
Healthcare Organizations are an Easy Target
Healthcare organizations store large amounts of high-value data, which makes them an attractive target for hackers, and healthcare organizations are often easy to attack. The IT environments of healthcare organizations are often complex, with a large attack surface that can be difficult to secure. Devices and software continue to be used that have reached end-of-life, as upgrading is costly and often problematic. Many healthcare providers use software solutions that have been developed to work on specific – and now obsolete – operating systems and cannot be transferred to more modern, supported operating systems.
Vast numbers of networked medical devices are used in hospitals. IBM’s research suggests an average of 10-15 devices are used per hospital bed, with the number of medical and IoT devices growing at a considerable rate. Keeping track of those devices and ensuring they are secured and kept up to date is a major challenge. Securing medical and IoT devices can also be problematic, as many devices have not been developed with security in mind.
Healthcare professionals need easy access to patient data. Members of the care team often work from different locations, so remote access is required, which introduces further risks. Healthcare environments are busy, and employees are often overstretched, which inevitably results in human vulnerabilities that can be easily exploited. The healthcare industry is particularly susceptible to phishing attacks due to a combination of busy working environments, overstretched staff, and a lack of regular security awareness training. A 2021 study by MediaPro on 850 healthcare employees saw 72% of employees rated as a security risk, with only 28% demonstrating they had the skills to recognize and avoid phishing attacks. Further, many healthcare organizations are still heavily reliant on traditional security solutions, such as network and endpoint technologies, which are not effective at securing cloud infrastructure and IoT devices.
How Can Healthcare Cybersecurity Be Improved?
Phishing, ransomware, and malware attacks on the healthcare industry are profitable, and that is unlikely to change, so healthcare organizations need to concentrate on improving their defenses and strengthening their cyber posture to make it harder for cyber actors to succeed. A comprehensive risk analysis should be regularly conducted to identify all risks to the confidentiality, integrity, and availability of ePHI.
Audits and investigations by OCR often identify failures with risk analyses, which are commonly not comprehensive in scope. Healthcare organizations need to ensure that they identify all systems, devices, and locations where ePHI is stored and conduct a comprehensive organization-wide risk analysis and manage and reduce the identified risks in a timely manner. Since the risk analysis must cover all systems that could conceivably be attacked to gain access to ePHI, and all locations and systems where ePHI is stored, it is important to create and maintain a comprehensive, accurate, and up-to-date IT asset inventory, on which the risk analysis can be based.
Cybersecurity best practices need to be followed, including conducting regular vulnerability scans, patching promptly, backing up data, implementing network segmentation, and implementing robust access controls with multi-factor authentication. HIPAA-regulated entities must also have ongoing processes for hardening system security to reduce the attack surface. OCR has issued guidance on some of the steps that can be taken to strengthen security in its January 2026 cybersecurity newsletter. Regular security awareness training for the workforce is a vital part of improving security posture. Security awareness training should have a strong emphasis on phishing and other attack methods that target employees and should be accompanied by phishing simulations.
Given the rapidly evolving threat landscape and the difficulty of securing the sprawling attack surface, healthcare organizations should also strongly consider implementing zero-trust architectures to protect systems and data when threat actors succeed in breaching their perimeter defenses.
Editor-in-Chief, HIPAA Journal
