Jessica Sganga and Kenneth Wang of Knobbe Marten write:
As of 2021, more than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010.[1] While credit cards and social security numbers are perennial favorites, cybercrime has begun to favor the theft of electronic medical records (EMR) as sources of revenue. With banks and major financial institutions starting to wise up and tighten their electronic security, cybercriminals have begun to target vulnerable healthcare institutions with a particular focus on the records of children, elderly people, and the deceased.
Compared to credit cards and social security numbers, health records are often more lucrative for cyber criminals. Most credit card and social security numbers sell for about $5, while medical records fetch an average of $250, with the most complete records reportedly going for $1,000.[2].
I’m going to stop this right there, as they are just repeating inaccurate information that has been previously called out as inaccurate. Experian corrected their error years ago after I pointed it out to them and yet many people still link to and repeat the old incorrect information. Similarly, a study done years ago that found a medical record could have a selling/asking price of $250 has no real predictive value in today’s market, where the market has been flooded, and a medical record might sell for a few dollars unless it belongs to some celebrity or person of great public interest.
There are good reasons to consider youth and the elderly vulnerable populations, but let’s not exaggerate the commercial value of records or data. DataBreaches.net sees patient information records on a daily basis from hacks, dumps, and misconfigured storage servers. When you see a 10-page scanned file on a patient that has PII and PHI, you might think “Great!” Then again, you may realize how time-consuming it would be to extract information from scanned pdfs in bulk. If someone needs just one record, ok, but many criminals would not invest their time in data unless it is in readily usable format.
The problem with these snapshot statistics, although well intended, is that they are being kept alive through continual re-citation. A few years ago I was getting skeptical about the often quoted statistics that “according tho the FBI, on the Black Market, your Health Records is worth $50, compared to $1 for a Credit Card Number”, then typically citing an article from a year or so ago that was also dubiously also referencing this mystical FBI report.
Turns out, if you follow the chain, it leads to a FBI Private Industry Notification (PIN) from April 2014, which in turn references an RSA whitepaper from July 2013, which refers back to an article in the Electronic Health Reporter from Jan. 2013 that seems to rely on something IDExperts published in Feb. 2012. And, curiously, both (Electronic Health Reporter and IDExperts) reference research by the World Privacy Forum that was presented at a workshop in 2006.
To your point – today’s reality is far more complex and can not (nor should it) be reduced to a simple number.
Absolutely. I went down the same chain/rabbit hole trying to track down the source of the $50, and when I got to Pam Dixon of the World Privacy Forum, she could not give me an actual research-based sourcing. But because WPF’s report on medical identity theft was the seminal paper on the topic, that number has been reported by numerous other papers and presenters.
Whether it had any validity at the time unknown to me. It certainly does not appear valid now, and I wonder about all the people who repeat it without ever going to look on dark web markets or forums to see what things really sell for/list at.