What’s Your Medical Data Worth? More Than You Think

Two weeks ago, I discussed the difficulties of obtaining relevant data regarding medical identity theft.
I started my research in this field after I read some old stories on the Internet:

  • Lind Weaver refused to pay hospital bills she received for the amputation of her right foot. It was in 2006, but the story still makes the headlines in 2011.
  • Joe Ryan got a bill from a Denver, Colorado, hospital for a surgery. In was in 2004, but everybody talks about it today.
  • The Virginia Prescription Monitoring Program welcome page was replaced in April 2009, with a US$10 million ransom demand.
  • The Indian police arrested, in November 2009, the director of a business process outsourcing company for his involvement in stealing medical history data of a UK-based entity.


Finally, I visited the Datalossdb website, which is a great source of information.
For the year 2011 and the beginning of 2012, I searched for incidents where data types referred to “medical data” and the source excluded “Inside Accidental.” I obtained 176 rows. A quick analysis shows:

  • 97 cases were related to the theft of documents or equipment (desktop, laptop, drive, tape, USB key, etc.)
  • 21 cases were related to an inappropriate disposal of documents (dumpster, email error, recycling bin, etc.)
  • 14 cases were related to a loss of documents or equipment
  • 16 were unknown

I also found these incidents:

  • 14 hacks (computer-based intrusion, data not generally publically exposed)
  • 10 fraud or SE (fraud or scam–usually insider-related or via social engineering)
  • 3 virus (exposure to personal information via virus or Trojan, for example, a keystroke logger, possibly classified as hack)
  • 1 web (computer/web-based intrusion, data typically available to the general public via search engines, public pages, etc.)


Looking at this table we can conclude that, like any other personal data, medical data can be accessed by hackers and crooks. Whether from students, common patients, or Guantanamo detainees, their data was much coveted in 2011.

Although it is easy to find prices on the black market for personal data that can lead to the theft of funds, or forged drivers licenses, or passports, I was unable to find any reliable prices for stolen medical records. At the Digital Health Conference held on December 1, 2011, in New York City, a panel claimed that such records were worth US$50, much more than other personal identity data such as Social Security numbers or credit card information.

In a January 2007 interview with Pan Dixon, then executive director of the World Privacy Forum, he said, “Our research found that there is a huge black market for medical records. Police tell us such records go for $50 each on the street, compared to Social Security numbers that go for a dollar or two.”

I also found a price connected with the November 2009 case in India. It was said that the suspect sold data–for UK£4 per record–to an accomplice who marketed the private records in Internet chat rooms.