APT & Targeted Attacks Key takeaways
1. Ransomware-driven economy
Ransomware dominates healthcare cybercrime, with double extortion and leak sites now standard practice. Double extortion is a tactic in which criminals exfiltrate sensitive data before encrypting it and threaten to publicly release or sell the stolen data if the ransom is not paid.
Why this matters
Healthcare organizations face both operational disruption and data exposure simultaneously, increasing the pressure to pay.
Risk implications
• Increased likelihood of business interruption affecting patient care
• Regulatory exposure under the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR) from data leaks
• Higher financial losses from ransom, recovery, and legal costs
• Public data leaks causing long-term reputational damage
2. Healthcare data as a high-value commodity
Medical records remain uniquely valuable to criminals because, unlike credit cards or banking credentials, a patient's diagnoses, treatment history, and biometric data cannot be canceled or reissued, giving stolen healthcare data a permanence that sustains long-term fraud.
Why this matters
Unlike credit cards, medical data cannot be easily reset, making breaches more damaging over time.
Risk implications
• Persistent identity theft and insurance fraud
• Increased risk of targeted extortion using sensitive diagnoses
• Greater patient harm and loss of trust
• Higher demand from underground markets will continue to make healthcare a prime target
3. Industrialized marketplace ecosystem
The cybercriminal underground has shifted to efficient, transaction-based marketplaces with scalable buying and selling.
Why this matters
Cybercrime today is faster, easier, and more accessible, allowing low-skilled actors to participate. Specialized products and services have segmented the breach supply chain, so buyers no longer need to run the full cycle themselves—they can purchase only the access, data, or capability they need, whether that is initial network access, stolen credentials, ready-made fullz, or ransomware-as-a-service.
Risk implications
• A lower barrier to entry will attract more attackers targeting healthcare
• Faster monetization means shorter time between breach and exploitation
• Increased volume of attacks due to automation and specialization
4. Access brokering and supply chain amplification
Initial access brokers and attacks on electronic health record (EHR) and electronic medical record (EMR) vendors enable large-scale downstream compromise
Why this matters
One breach can affect hundreds of organizations simultaneously, multiplying damage.
Risk implications
• Third-party vendor risk becomes critical
• Cascading breaches across entire healthcare ecosystems
• Difficulty detecting threats originating from trusted partners
• Increased exposure to large-scale, coordinated attacks
5. Global, specialized, and expanding threat landscape
Cybercrime activity is multilingual, regionally specialized, and expanding into new areas such as medical imaging systems, including Digital Imaging and Communications in Medicine (DICOM) and exposed Picture Archiving and Communication System (PACS) data, and fraud services (fake prescriptions, fraudulent insurance claims, and counterfeit medical documentation).
Why this matters
The threat is not localized and continues to expand across new attack surfaces
Risk implications
• Harder attribution and more complex threat monitoring
• Emerging risks in non-traditional systems
• Expansion into adjacent fraud markets
• Need for global threat intelligence coverage
From breach to marketplace: Tracking the trade in stolen medical information
Over a 12-month period, we analyzed 7,779 underground forum posts and 21,813 dark web marketplace listings. The data reveals that healthcare information ranks among the most valuable and versatile commodities in the cybercriminal underground.
This ecosystem operates as a mature supply chain: initial access brokers exploit vulnerabilities and sell entry points; ransomware groups exfiltrate and monetize data through double extortion; and marketplaces facilitate large-scale trading of patient records, insurance data, credentials, and full identity packages (also known as “fullz”). Healthcare data commands premium pricing due to its richness, longevity, and ability to support multiple fraud vectors simultaneously.
Ransomware-driven data sales dominate activity, accounting for over one-third of marketplace transactions, while direct data trading and access brokering further fuel the ecosystem. The market is global and multilingual, with English dominating, though Turkish and Portuguese communities also show significant activity, reflecting regional specialization.
The threat landscape is shifting toward scalable, high-impact attacks, particularly through supply-chain compromises of electronic health record (EHR) and electronic medical record (EMR) vendors and healthcare technology platforms. Combined with the rise of ransomware leak sites and specialized fraud services, these trends indicate a transition from opportunistic attacks to industrialized, profit-driven cyber operations targeting healthcare at scale.
We investigated the cybercriminal underground from February 2025 to February 2026, focusing on eight healthcare-related categories: healthcare systems and software; medical devices; data trading; breaches and ransomware; marketplace listings; network access; Digital Imaging and Communications in Medicine (DICOM) and medical imaging; and industrial control systems (ICS) and supervisory control and data acquisition (SCADA) within healthcare environments. This research is a continuation of our Healthcare Underground series, building on Cybercrime and Other Threats Faced by the Healthcare Industry, Securing Connected Hospitals, and A Hidden Vulnerability in Healthcare: Exposed DICOM Servers and the Risk to Patient Data, reflecting healthcare's standing as one of the most breach-prone industries.
The trading ecosystem: How healthcare data changes hands
The healthcare data trading ecosystem operates through a well-defined supply chain. Initial access brokers scan for and exploit vulnerabilities in healthcare networks, selling entry points for as little as US$100 for an Israeli dental imaging clinic to up to US$2,000 for a Taiwanese medical supply network. These access points feed into ransomware-as-a-service operations such as Kazu, LockBit 5.0, Pear, RansomHub, Rhysida, and Akira.
These ransomware groups have established healthcare as a target vertical due to the critical nature of health data and the perceived willingness of healthcare organizations to pay ransoms to avoid disruption of patient care and regulatory consequences under frameworks such as HIPAA.
Data pricing follows a clear hierarchy. Small, localized datasets, such as an Egyptian lab's records, range from US$65 to US$400—commoditized data with limited shelf life. Mid-tier datasets from healthcare technology vendors and regional health systems command from US$1,000 to US$8,000, reflecting their broader applicability for identity theft and insurance fraud. At the top tier, ransomware demands against healthcare organizations reach US$500,000, with implied demands against major hospitals and medical tourism facilities likely extending into the millions.
Healthcare data commands premium pricing in the underground for several interconnected reasons. First, medical records carry the richest personally identifiable information (PII) profiles available in the underground: demographic data, government identifiers (Social Security numbers or national IDs), insurance policies, billing records, and highly sensitive health information such as diagnoses, treatments, mental health and substance abuse history, and graphic medical images. Second, this data has a longer shelf life than financial data: a stolen credit card can be canceled, but a patient’s medical history cannot be changed. Third, healthcare data enables multiple fraud vectors at once, including identity theft, insurance fraud, prescription fraud, targeted extortion using sensitive health conditions, and medical identity theft to obtain care under another person’s identity.
A particularly concerning trend is the targeting of EHR and EMR software vendors as supply chain attack vectors. Compromising a single vendor can grant access to data from dozens or even hundreds of downstream healthcare practices, significantly amplifying the impact of a single intrusion far beyond what could be achieved by targeting individual clinics. This reflects the broader shift in cybercrime toward supply chain attacks, but with uniquely severe implications for patient privacy.
The distribution of DICOM medical imaging tools on the IranHack forum alongside healthcare breach activity suggests that threat actors are developing tools and workflows for processing and monetizing stolen medical imaging data. Combined with the explicit inclusion of DICOM files in breach listings, this indicates an emerging market segment for medical imaging data that extends the threat beyond traditional text-based medical records.
Sellers establish trust through consistent cross-platform presence, verifiable data samples, and adherence to forum norms on communication and conduct. This ecosystem reduces friction on both sides of a transaction, accelerating trade velocity and lowering the barrier to entry for new participants.
The ransomware-driven economy
Ransomware-related data sales dominate the marketplace at 36.3%, reflecting the growing practice of ransomware groups not only encrypting healthcare systems but also exfiltrating and selling stolen data—a post-breach monetization tactic that has become standard practice in ransomware attacks. This double-extortion model is now used by major ransomware groups targeting healthcare, with stolen data published on leak blogs and simultaneously offered for sale on underground forums.
Ransomware operators maintain dedicated data leak blogs where they publish stolen data from victims who refuse to pay ransom demands. Our analysis identified 7,610 healthcare-related leak posts across 95 distinct ransomware operator blogs. These posts typically contain files with data downloads and countdown timers designed to pressure victims into paying. After the timer expires, the data is offered for sale; some sites list prices openly while others send them through private messages.
Healthcare data leaks on ransomware blogs are heavily concentrated among a few dominant groups. Rhysida leads by a wide margin, accounting for 40.4% of all published healthcare data, followed by Interlock at 28.1%. Together, these two groups are responsible for 68.5% of the total. The middle tier, comprising Medusa (7.9%), Insomnia (7.0%), SafePay (5.3%), and Payouts King (4.8%), collectively represents 25% of leaks. The remaining three groups, Kairos (2.3%), Genesis (2.3%), and Akira (2.0%), each contribute a relatively small share, combining for just 6.6% of the total. This distribution highlights a stark imbalance, where the vast majority of healthcare data exposure stems from only two ransomware operations, suggesting that targeted disruption of these top groups could have a significant impact on reducing healthcare data leaks.
A recent Rhysida-claimed breach illustrates the breadth of data exposed in a single healthcare-adjacent incident. On Dec. 22, 2025, Cytek Biosciences released a notice of a data security incident. The company stated the exposed information may have included contact information, dates of birth (DOB), driver’s license (DL) numbers, names and Social Security numbers (SSNs), health and medical information, financial and compensation information, and employee account credentials. Rhysida claimed to have sold the stolen data from Cytek and shared data samples as proof of the claim, but did not disclose the selling price.
The diversity of ransomware groups publishing healthcare data across 95 leak blogs reflects the commoditization of ransomware as a service (RaaS) and the low barrier to entry for affiliates. Even minor groups such as Payouts King, Kairos, and Genesis run established healthcare data leak operations, demonstrating that the sector attracts threat actors across the full sophistication spectrum.
Healthcare data as a high-value commodity
Cybercriminal forum activity
Between February 2025 and February 2026, we identified 7,779 posts across 163 underground forums spanning eight healthcare-related categories. Data trading dominated at 32.6% of all posts, underscoring sustained demand for stolen healthcare information. Breaches and ransomware followed at 16.5%, with marketplace listings close behind at 16.3%.
In contrast, more specialized healthcare targets received comparatively limited attention. Medical devices accounted for only 5.5% of discussions, while DICOM and medical imaging systems represented just 3.5%.
The ecosystem is concentrated but not monopolized. While Cracked.to functioned as a central hub, accounting for 17.6% of observed activity, meaningful engagement was distributed across multiple forums.
This concentration was briefly disrupted in January 2025, when law enforcement dismantled Cracked.to as part of a coordinated effort known as Operation Talent. However, the disruption proved short-lived. The platform reemerged shortly thereafter under new management, rebranded as Cracked.sh, then Cracked.ax, underscoring the resilience and adaptability of these underground communities.
While Exploit.in and XSS.is maintain Tor mirrors for users seeking added anonymity, every forum we tracked except for Dread forums was reachable on the clearnet, meaning most of these actors are not hiding so much as operating in plain sight.
Industrialized marketplace ecosystem
Underground marketplace
Healthcare data and infrastructure access rank among the most actively traded commodities within the cybercriminal underground. Our analysis identified 21,813 healthcare-related marketplace posts spanning nine distinct categories of criminal activity. These offerings include the sale of medical fullz and patient records, auctions of credentials that enable access to hospital networks, and the distribution of stolen insurance data. Fullz are packages that can include Social Security numbers, insurance information, dates of birth, financial data, medical records, and driver’s licenses.
Dedicated marketplaces are now the primary channel for commercializing healthcare data and access, with marketplace activity heavily outpacing forum discussions.
Data trading
Data trading, representing 14.9% of the posts, covers the direct sale of healthcare databases, patient records, and medical information. Threat actors offer bulk healthcare data ranging from individual patient records to entire hospital database dumps, which often include sensitive fields such as Social Security numbers, dates of birth, medical diagnoses, insurance policy numbers, and prescription histories.
Insurance fraud
Insurance fraud, at 7.7% of the posts, reveals a robust underground economy built around stolen health insurance data. Threat actors trade insurance card scans, policy numbers, and complete insurance profiles to enable fraudulent claims, prescription filling, and medical identity theft, with Medicare and Medicaid fraud materials especially prominent. Insurance databases start at around US$1,000.
Access selling
Access selling represents 9.8% of the initial access broker (IAB) market, with cybercriminals selling Remote Desktop Protocol (RDP), virtual private network (VPN), and shell access to healthcare networks. These listings frequently specify the target organization's revenue, suggesting that access is priced based on the perceived ability to pay ransomware demands. On one Russian forum, an IT company bundled with medical insurance data was listed with a starting price of US$4,000 with US$1,000 increments for admin access.
Credential sales
Credential sales account for 8.2% of posts and cover stolen login credentials for healthcare systems, including EHR and EMR platforms, hospital portals, and healthcare SaaS applications. Threat actors typically source these from infostealer malware logs and combo-list compilations.
Fullz and identity packages
Medical fullz, complete identity packages containing healthcare information, are a specialized commodity in their own right. Our investigations found 1,607 posts dedicated to selling medical fullz.
Global, specialized, and expanding healthcare threat landscape
The multilingual underground
Healthcare data trading is a global, multilingual market.
While English dominates at 63.3%, Turkish (13.9%) and Portuguese (11.2%) represent substantial trading volumes, likely corresponding to Turkish and Brazilian cybercrime forums. Meanwhile, Russian forums, traditionally associated with cybercrime, account for only 3% of healthcare marketplace activity, suggesting that healthcare data trading is more geographically diverse than traditional cybercrime patterns. The presence of nine languages demonstrates that healthcare data holds value across linguistic and cultural boundaries.
Although English dominates the marketplace, different linguistic communities control specific market segments. English-speaking forums are also more tolerant of non-native proficiency, allowing participants with varying language skills to operate, collaborate, and transact with fewer barriers than more linguistically rigid communities. We explored this dynamic in our 2025 report, Bridging Divides, Transcending Borders, which examines how the English-speaking underground has adapted to law enforcement pressure and linguistic diversification.
Our research surfaced clear regional specialization: Russian-language actors dominate the fullz and identity fraud segments, Turkish actors distribute EHR breach data, German-language markets specialize in prescription pharmaceutical sales, and Arabic-language listings emerge from Middle Eastern healthcare system breaches. This linguistic diversity complicates attribution and underscores the global nature of the threat; the specific alignments may shift year to year.
Traded healthcare data in the underground
- Full EHR and EMR dumps: These are complete electronic medical record exports from healthcare providers and are the highest-value items, containing patient demographics, diagnosis codes (International Classification of Diseases, 10th Revision, or ICD-10), procedure codes (Current Procedural Terminology, or CPT), treatment plans, doctor notes, medication histories, allergy lists, lab results, and insurance details.
- Medical fullz: These are identity packages enriched with medical data, typically including name, gender, date of birth, race, phone number, address, ZIP code, email address, injury date, diagnosis codes, service office, employer and occupation, payor information (policy, group, ID, and claim numbers for primary and secondary insurance), and guardian details. These comprehensive records command premium prices because they enable both identity theft and insurance fraud simultaneously.
- Patient database dumps: These are large-volume patient record exports. Records can include full names, dates of birth, genders, addresses, email addresses, mobile numbers, and occupations.
- Insurance data: This data includes health insurance verification files, claim forms, prior authorization records, and full medical histories.
- Medical imaging data: This data includes DICOM files such as X-rays, MRI scans, CT scans, and ultrasound images.
- Credential access to healthcare systems: These are working credentials for remote-access infrastructure such as corporate VPN portals and Fortinet access.
Fake medical documentation business
The underground marketplace has carved out a lucrative niche selling fake medical documentation. These are fraudulent doctor's notes, disability certifications, workers’ compensation, and sick leave paperwork designed to secure government benefits, time off work, and medications. Prices start at US$25.
Latin American countries are a major hotspot for this type of fraud, with the majority of both supply and demand concentrated there. However, we have also spotted occasional requests for fake documentation targeting the U.S. and China, suggesting this is not just a regional problem.
Sample pricing
Prices span a wide range, from US$65 for small, localized datasets to US$500,000 for ransom demands against healthcare software companies. Medical fullz command a per-record pricing premium over standard financial fullz because they unlock insurance fraud, medical identity theft, and prescription fraud, in addition to standard financial fraud uses.
Geographic and institutional targeting patterns reveal clear preferences among threat actors that help shape market prices.
Our research shows a pronounced U.S.-centric focus, likely driven by the high monetary value of U.S. medical records for insurance fraud and identity theft purposes.
India is a secondary but growing target, particularly its healthcare technology platforms, which have large user bases. Middle Eastern providers draw premium pricing on the strength of medical tourism and wealthy patient populations.
Table 1 presents sample pricing for healthcare data in the underground marketplace in early 2026.
| Commodity | Sample Pricing (USD) |
|---|---|
| Healthcare fullz (SSN/DOB/DL) | $5 |
| Healthcare fullz (with prescriptions) | $25 |
| Medical Note (fake documentation) | $25 |
| Small business medical clinic (5,000 patients) | $65 |
| Access as a Service – Israeli dental imaging system | $100 |
| Access as a Service – VPN to Canadian EMR software company | $400 |
| Russian biology institute database + access | $1,000 |
| Access as a Service – Fortinet access to Taiwanese medical supplier | $2,000 |
| Bulk Medical Database – Indian health insurance (200 GB) | $5,000 |
| Bulk Medical Database – U.S. medical billing (7 GB) | $8,000 |
| Italian medical database with fullz | $150,000 |
| Ransomware – EHR (15 GB) | $500,000 |
| Various controlled drugs | Market Price |
Recommendations
Healthcare organizations facing this threat landscape should focus on four priorities. First, they should take stock of where they stand today, identifying the systems, weaknesses, and configuration gaps that an attacker would go after first.
Second, they need a clear picture of everything attackers could reach, such as connected systems, software vendors, and anything exposed to the internet, because most ransomware attacks now start at the edges of the network rather than the core.
Third, they should monitor for threats already present in the environment, checking the Workbench feature in TrendAI Vision One™ for signs of ransomware activity, stolen credentials, or data being moved out, especially the quieter signals that have not yet triggered an alarm.
Fourth, organizations should treat vendor risk as an ongoing concern rather than a once-a-year one: identify which medical-records vendors and other suppliers their operations depend on and watch them continuously for any sign they have been breached.
Ransomware and double-extortion protection
Threat: Ransomware groups such as Rhysida, LockBit, and Medusa targeting healthcare with encryption and data theft.
Ransomware groups are stealing patient data first, then threatening to publish it if the ransom is not paid. Defending against this means catching the intrusion early, before encryption begins and before sensitive records leave the network.
Data exfiltration and credential theft
Threat: Initial access brokers selling VPN and RDP access; credential theft via infostealer malware; EHR and EMR data dumps.
Most healthcare breaches start quietly: a stolen password, a phished login, or remote-access credentials sold by a broker. By the time the attack is visible, data is already being exfiltrated. The goal is to spot the theft of credentials and the unusual data flows that follow before they turn into a full breach.
Supply chain and third-party risk
Threat: Compromised EHR and EMR vendors affecting hundreds of downstream healthcare organizations.
A single compromised EHR vendor or medical-software supplier can expose hundreds of healthcare organizations at once. Because attackers increasingly target these shared providers as a shortcut, healthcare organizations need visibility not just into their own environment, but also into the security posture of the partners they depend on.
Medical data protection and compliance
Threat: HIPAA violations from breaches; stolen medical fullz; insurance fraud.
Stolen medical records carry not only privacy consequences but also regulatory ones. Protecting this data is therefore both a security and a compliance task: keeping sensitive records from leaving the organization and being able to prove what happened if they do.
TrendAI Vision One™ capabilities
The healthcare data economy described in this report calls for a defense that is equally integrated. The TrendAI Vision One™ platform centralizes cyber risk exposure management, security operations, and robust layered protection, empowering organizations to predict and prevent threats while accelerating proactive security outcomes.
For healthcare organizations, this means a single platform that surfaces exposed assets before attackers find them, correlates the early signals of ransomware and data exfiltration across endpoints, email, network, and cloud, and shortens the time between a suspected intrusion and a contained one.
The following capabilities map the TrendAI Vision One™ platform to the four threat areas this report has documented in the underground: ransomware and double extortion, data exfiltration and credential theft, supply chain and third-party risk, and medical data protection and compliance.
- Ransomware and double extortion: TrendAI Vision One™ Endpoint Security detects ransomware execution, lateral movement, and data exfiltration in real time; behavioral analysis identifies suspicious encryption patterns and mass file access before damage occurs; the Workbench feature correlates ransomware indicators across the environment to show attack scope and progression; TrendAI Vision One™ Threat Intelligence Hub tracks known ransomware groups and their tactics, techniques, and procedures (TTPs) to catch variants early.
- Data exfiltration and credential theft: TrendAI Vision One™ Network Security monitors for suspicious data transfers, command-and-control (C&C) communications, and unauthorized access patterns; TrendAI Vision One™ Email and Collaboration Security blocks phishing campaigns and credential-stealing emails before they reach staff; TrendAI Vision One™ Cloud Risk Management identifies misconfigurations in cloud-hosted EHR and EMR systems that expose credentials; the Observed Attack Techniques (OAT) feature detects credential access attempts (T1110, Brute Force; T1187, Forced Authentication).
- Supply chain and third-party risk: TrendAI Vision One™ Cyber Risk Exposure Management (CREM)Attack Surface Discovery maps connected healthcare technology vendors and identifies exposure points; TrendAI Vision One™ Vulnerability Management tracks CVEs in healthcare software dependencies (EHR systems, medical imaging platforms); the CREM Cyber Risk Index prioritizes third-party risks by criticality and exploitability; the Threat Intelligence Hub alerts when known healthcare vendors are compromised.
- Medical data protection and compliance: TrendAI Vision One™ Data Security monitors for exfiltration of sensitive healthcare data (SSN, medical records, insurance information); TrendAI Vision One™ Compliance Management tracks HIPAA, Health Information Technology for Economic and Clinical Health (HITECH), and other healthcare regulatory requirements; TrendAI Vision One™ Forensics reconstructs breach timelines to understand what data was accessed and when; TrendAI Vision One™ Services– Incident Response provides evidence for breach notifications and regulatory reporting.
Closing the gaps
Healthcare data is now traded as a structured commodity, with established marketplaces, specialized brokers, and pricing tiers that reward attackers for targeting the sector. Defending against this requires addressing the full lifecycle of how patient data is stolen, sold, and reused. The following recommendations cover the four areas where this underground economy hits healthcare organizations the hardest: ransomware and extortion, stolen credentials and data, risk from third-party vendors, and protecting patient records.
- Assess the current posture: Healthcare organizations should check the CREM Cyber Risk Index and pin down the high-risk assets, weak spots, and misconfigurations that an attacker would hit first.
- Mapthe attack surface: Organizations should inventory every connected healthcare system, vendor, and internet-facing asset to ensure complete visibility across their environment.
- Detect active threats: Security teams should check the Workbench feature for signs of ransomware, stolen credentials, or data being moved out, including the quiet signals that have not yet tripped an alarm.
- Prioritize vendor risk: Organizations should identify the EHR and EMR vendors and other suppliers their operations depend on and monitor them continuously for breach indicators.
Conclusion
Healthcare has become one of the most targeted and profitable verticals in the cybercriminal underground, supported by a mature ecosystem that, over our 12-month research period, comprised 163 forums, 21,813 marketplace listings, and 95 active ransomware leak blogs. This ecosystem demonstrated profit-driven operations in which stolen healthcare data is systematically harvested, packaged, and distributed across a global, multilingual supply chain.
The landscape is no longer defined by isolated breaches but by a structured supply chain in which initial access brokers, ransomware affiliates, data traders, and fraud specialists each monetize the same records across successive channels. Regional specialization reinforces this structure: Russian-language actors dominate fullz and identity fraud, Turkish and Portuguese-speaking communities concentrate on insurance and access trading, and English operates as the connective tissue across them all.
Leak activity is heavily concentrated, with Rhysida and Interlock alone accounting for 68.5% of published healthcare data, which means the disruption of a small number of operators could meaningfully reduce exposure. At the same time, the pivot toward EHR and EMR vendors and healthcare technology platforms signals that future incidents will scale through the supply chain rather than through individual hospitals.
Healthcare’s operational realities significantly amplify the impact of these attacks. Incidents in healthcare disrupt more than data; they affect patient safety, care continuity, and trust. Because downtime is not an option, disruptions to electronic health records, imaging systems, and clinical workflows can delay care and force high-risk manual workarounds, giving attackers significant leverage in ransomware and extortion scenarios. Meanwhile, supply-chain attacks targeting EHR and EMR vendors are increasing in frequency, allowing a single compromise to expose patient data across hundreds of downstream organizations and expanding the scale of systemic risk.
Because medical records cannot be canceled, reissued, or meaningfully devalued after exposure, a single breach continues to generate fraud revenue long after the initial compromise. Defending against this economy requires a shift from incident response to ecosystem awareness: hardening third-party and identity pathways, monitoring underground channels where stolen data is resold, and treating the reuse lifecycle of healthcare data as a first-order risk rather than a downstream consequence.
Appendix
Keywords used for research
The following keywords were used to search underground forum and marketplace posts during the research period.
EMR major platforms
- Allscripts
- Athenahealth
- Cerner
- eClinicalWorks
- Epic Systems
- Meditech
- NextGen
- OpenEMR
- OpenMRS
General healthcare
- Clinic
- Health care
- Healthcare
- Hospital
- Medical
Healthcare vendors
- Abbott
- Agfa
- Baxter
- BD/Becton Dickinson
- Boston Scientific
- Carestream
- Change Healthcare
- Draeger
- Fujifilm
- GE Healthcare
- Hillrom
- Hologic
- Masimo
- Medtronic
- Mindray
- Philips Healthcare
- Siemens Healthineers
- Smiths Medical
- Stryker
- Varian Medical
- Zoll
Insurance and payers
- Aetna
- Anthem
- Blue Cross
- Blue Shield
- Cigna
- Health insurance
- Humana
- Medicaid
- Medicare
- TRICARE
- UnitedHealth
Medical data
- Clinical data
- Diagnosis
- Health record
- Immunization
- Lab result
- Medical data
- Medical history
- Medical record
- Pathology report
- Patient data
- Patient record
- Prescription
- Radiology report
- Treatment record
Medical data trading
- DEA number
- Health fullz
- Insurance card
- Medical fullz
- Medical ID
- NPI number
Medical devices
- CT scan
- Defibrillator
- Dialysis
- Endoscope
- Infusion pump
- Insulin pump
- MRI
- Pacemaker
- Patient monitor
- Ultrasound
- Ventilator
- X-ray
Medical specialties and functions
- Ambulance
- Anesthesia
- Cardiology
- Dental
- Dermatology
- Diagnostic
- Emergency room
- Neurology
- Oncology
- Ophthalmology
- Optometry
- Orthopaedic/Orthopedic
- Pathology
- Pediatric
- Radiology
- Surgery
- Surgical
People and roles
- Doctor
- Nurse
- Patient
- Physician
Pharma and life sciences
- Biomedical
- Biotech
- Clinical
- Pharma
- Pharmaceutical
- Therapeutic
- Therapy
Regulations and data types
- HIPAA
- HITECH
- PHI
- Protected Health Information
Forums
- Ajanlar
- Altenen
- ASCarding
- BDF
- Best Blackhat Forum
- BHF
- BigBrobiz
- Bitcointalk.org
- BlackBones
- Black Hat World
- Blast
- BreachForums
- breachforums.hn
- BreachStars
- Cardmafia.ws
- Carder Market
- Carders.biz
- Center.bz
- Chang'An Nocturnal City
- Chitachok/Chitachok24
- Codeby.net
- CPAMafia.pro
- Cracked.to
- Cracking Italy
- CrackingX
- Crax Pro
- Crdclub.ws
- CrdPro
- Damagelib
- DarkForums
- DarkMarket.bz
- DarkMoney.cc
- DarkNetArmy
- DarkStash
- Dread forums
- Dublikat
- Duty-Free.cc
- Exploit.in
- Forum.bits.media
- ForumTeam
- Gerki
- Hackforums.net
- Hacktivizm
- HasanBroker's BreachForums
- HellOfHackers
- HighLeaks
- HTDark
- Illegalizm hacking community
- ImhaTimi
- InfoCheats
- IranHack
- Korovka
- LeakBase
- Leaked
- LeakForum
- LeakZone.net
- Lolzteam.net
- Mazafaka_2
- Migalki+ 2022
- Mipped
- Niflheim
- NoHide.space
- Nullptr
- NulledBB
- NZ Darknet Market Forums
- Olkpeace.org
- Omerta.cm
- Patched.to
- Pitch
- Probiv
- ProCrd.CC
- ProLogic.su
- RaidForums V2
- RAMP_v2
- RootSploit
- RuTor
- Rutor24
- SafeZone
- Sinister.ly
- Spear
- SpyHackerz.com
- Tenec
- TurkHackTeam
- Turkhacks
- UfoLabs
- UmbraForums
- ValidMarket
- Verified.mn
- Vermillion
- VeryLeaks
- Vlmi.su
- WeTheNorth
- WWH-Club.co
- XForums
- xReactor
- XSS.is
- Xssf
- YouGame