That’s 10 months of Netflix. Six books from Barnes & Noble. 400 spicy chicken nuggets from Wendy’s dollar menu.
Or one electronic medical record purchased on the dark web.
That figure comes to us courtesy of Nathan Little, Managing Partner at Gillware Digital Forensics. In a recent interview, Nathan revealed that “On the dark web, medical records of a person can sell for anywhere from $50 to $100 per individual. This is nearly 100 times what a stolen credit card number commonly sells for.”
And the reason it’s so valuable is that, unlike credit card or bank account numbers, the information on a medical record (name, address, birthday, insurance info, and social security number) is far more difficult to change. Some people change their credit card numbers many times a year. I’ve yet to meet anyone who has ever successfully changed their birthday.
I’m often asked by my client, “Why on earth would anyone pay for something like this? What are they going to do with it?”
That’s a fair question, and the answer isn’t obvious. But I want to share an anecdote that was passed to me by Jeremy Mares, the Manager of Business Development-Security & Compliance at Sikich (a professional services/digital forensics company). It brings the conversation firmly into the real world.
In one case, hackers stole health records from a healthcare institution and sold them on the dark web. Those records included the list of drugs that patients were taking and phone numbers of the patients. The criminals who bought the records scanned the list of drugs normally given to patients with stage-4 cancers.
Here’s where this becomes less cyber, more criminal: the criminals then called the cancer patients, pretended to be researchers at a major American medical school, and offered to enroll the patients in an experimental clinical trial for a new drug that might just save their life. The only thing the patients had to do was wire $25,000 to the ‘medical school’ to enroll…
I hope this helps you understand how important data security is, and the real-world consequences that a data breach can have. One of the best ways to mitigate damage from a data breach is to have an effective incident response plan in place before a breach occurs.
Join us on September 20th for a free webinar where we’ll dissect what makes a good incident response plan work, and what can happen if you don’t have one at all.