Health care data breaches are on the rise. As noted by MedPage Today, there were 39 reported health network compromises in March, totaling more than 1.5 million records. This not only surpasses the 31 total events reported in both January and February, but also more than triples the 388,000 records breached in 2017’s first month.

But here’s the thing: With so many records now compromised, packaged and sold on the Dark Web, the sales price to interested actors is falling rapidly. What happens when data supply outpaces criminal demand?

Everything’s Got to Go!

While security professionals and patients alike lament the lack of effective controls in protecting health care data, increasing concern hasn’t translated into better defense. In fact, cybercriminals are now so adept at cracking, stealing and selling health care information that Dark Web prices are falling considerably.

Consider the case of a Baltimore-area substance abuse treatment facility. According to CSO Online, the organization experienced a data breach last year that saw more than 43,000 records stolen and posted on the Dark Web. These records included basic information, such as names and phone numbers, along with dates of admission, doctor and counselor assignments, and specific treatment data. Security researchers identified the likely point of entry as a malicious Word file that, in turn, exploited a vulnerable remote desktop protocol (RDP).

As the clinic struggled to identify and notify all affected patients while simultaneously improving its IT security posture, its entire catalog of records was being shopped around the Dark Web at just $300, or less than 1 cent per record.

In effect, it’s a supply-and-demand issue. Until recently, “fullz” — full packages of personally identifiable information (PII) — went for around $7. But as the number of available records skyrocketed, the price dropped to compensate. Now, the average price per record sits between 50 cents and $1.

For patients and companies, however, the financial impact is potentially ruinous. Health care organizations are faced with potential public relations and network disasters, while patients may find that their entire identities — from tax returns to Social Security numbers to physical addresses — are being leveraged to cause long-term headaches.

The Data Breach Defense

The new threat landscape has many companies taking action to limit the chance of data breaches. The problem is that efforts don’t always match the most worrisome attack vectors.

Consider that among the top concerns for health agencies is the threat of ransomware. Fair enough, since cybercriminals are now willing to ask for millions in compensation, and companies know they’re on the hook for more than $300 per record in remediation costs.

But here’s the thing: Insider threats are actually the greatest danger to health data, with employees responsible for 68 percent of all health data breach attacks in 2016. In most cases, staff members have no intention of causing harm; they may be duped by phishing emails, click on malicious links or accidentally share privileged information.

Another key threat vector is third-party vendor breaches. These occur when data processing partners don’t do enough to secure their infrastructures and inadvertently allow health care data to be lost, stolen or compromised.

Effective health care defense isn’t just about beefing up network controls and locking down IT systems. Instead, companies need better internal education programs paired with more thorough assessments of third-party providers to limit the chance of compromise.

Even with record prices falling to all-time lows, don’t expect cybercriminals to give health care companies a break. While criminal-facing prices may be falling, the costs of damage control and remediation continue to rise, meaning health organizations need to take a hard look at where they’re getting hit and what’s being targeted. With no single cause, effective treatment of the data breach problem requires a multifaceted approach.

More from

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…