TrendAI has published research on a cybercrime economy built around stolen healthcare data, ransomware, and traded access to health systems. The findings are based on a year-long review of dark web forums, marketplaces, and ransomware leak sites.
Researchers examined 7,779 underground forum posts, 21,813 marketplace listings, and 95 ransomware leak sites linked to healthcare-related cybercrime activity over 12 months. The study found that ransomware-related data sales accounted for 36.3% of marketplace activity, as attackers increasingly combined data theft with encryption and extortion.
The report describes healthcare information as one of the most sought-after forms of stolen data because it can be reused for several types of fraud and cannot easily be replaced once exposed. It also points to a broader market for hospital network access, insurance data, complete medical records, and fake medical documentation.
One of the clearest trends in the research is the growing focus on suppliers to the sector, rather than only hospitals and clinics. Electronic health record and electronic medical record vendors were identified as increasingly common targets, with a single compromise potentially exposing hundreds of healthcare organisations that rely on the same software or platform.
This supply chain element has become a particular concern in Australia and New Zealand, where healthcare operators face rising cyber pressure. In Australia, the number of ransomware incidents against the healthcare sector doubled in FY2024-25. In New Zealand, major hospital data breaches have prompted NZ$450 million in government investment to strengthen cybersecurity across the public health system.
Andrew Philp, Field CISO, ANZ, at TrendAI, said the consequences of a healthcare breach extend well beyond the initial theft of information.
"Patient data is a lucrative target for cybercriminals. Health data is permanent, deeply sensitive, and highly reusable, with a single breach creating long-term consequences for individuals, healthcare providers, and the wider health ecosystem. The 2024 MediSecure cybersecurity incident alone exposed private data from 12.9 million Australians.
"This research reinforces why healthcare providers remain under close regulatory scrutiny. Stolen health data is prime currency within the broader underground economy, fuelling criminal activity and creating a ripple effect across industry and government. Inaction has carried a significant cost, with multi-million-dollar fines handed down for healthcare data breaches in recent years."
Underground market
The findings suggest cybercrime affecting healthcare has become more specialised, with different actors handling access, theft, extortion, and resale. Rather than isolated attacks, the report depicts an organised market in which patient data is bought, sold, and reused across multiple criminal schemes.
That structure reflects a wider trend in cybercrime, where initial access brokers, ransomware affiliates, and fraud sellers operate in parallel. In healthcare, the value of records can extend from identity theft and insurance fraud to blackmail and credential abuse, making the same dataset useful to several different buyers.
Stephen Hilt, Principal Threat Researcher at TrendAI, said the enduring value of medical records sets them apart from other stolen information.
"Healthcare data has evolved from stolen information into a long-term criminal asset class.
"Unlike a credit card, a patient's diagnoses, treatment history, or biometric data cannot simply be cancelled and reissued, which makes healthcare organisations uniquely attractive to ransomware groups and data brokers."
Wider impact
The report argues that the effects of healthcare breaches are not confined to one sector. Because medical information can be linked to identity documents, financial records, and government systems, a single incident can create downstream risks across other industries and public services.
That is one reason healthcare providers have faced closer regulatory scrutiny after large breaches. The exposure of sensitive patient data can lead not only to operational disruption and extortion demands, but also to investigations, penalties, and long-term remediation costs.
TrendAI's research also points to the operational danger of ransomware in health environments, where outages can affect care delivery as well as data security. The combination of extortion and service disruption has made hospitals and associated suppliers a persistent target.
Numaan Huq, Senior Threat Researcher at TrendAI, said the criminal ecosystem now resembles a connected chain rather than a series of separate attacks.
"What we're seeing is not isolated cybercrime but a mature underground economy built around healthcare.
"Initial access brokers, ransomware affiliates, credential sellers, and fraud specialists now operate as part of an interconnected supply chain designed to monetise patient data repeatedly and at scale."