Stolen healthcare data is being traded through a mature global underground economy spanning ransomware groups, access brokers and fraud marketplaces, new TrendAI research reveals.

Over 12 months to February 2026, researchers analysed 7,779 underground forum posts, 21,813 dark web marketplace listings and 95 ransomware leak sites linked to healthcare cybercrime.

Ransomware-related data sales accounted for 36.3% of marketplace activity. Double extortion, where attackers steal data before encrypting systems and threaten to publish it, is now standard practice.

Andrew Philp, Field CISO ANZ at TrendAI, said supply chain compromises involving healthcare software vendors are becoming a major risk multiplier for the sector.

“Patient data is a lucrative target for cybercriminals. Health data is permanent, deeply sensitive and highly reusable, with a single breach creating long-term consequences for individuals, healthcare providers and the wider health ecosystem. The 2024 MediSecure cyber security incident alone saw private data from 12.9 million Australians breached,” Philp said.

“This research reinforces why healthcare providers continue to be under the microscope of regulators. Stolen health data is prime currency within the broader underground economy, fuelling criminal activity and creating a ripple-effect across industry and government - with a significant cost for inaction with multi-million dollar fines handed down for healthcare data breaches in recent years.”

The MediSecure breach remains the largest notified under Australia’s Notifiable Data Breaches scheme, exposing prescription records and healthcare identifiers covering almost half the population.

The report warns that healthcare data commands premium pricing because it cannot be reset. A stolen credit card can be cancelled, but diagnoses, treatment histories and biometric data are permanent.

“Healthcare data has evolved from stolen information into a long-term criminal asset class,” said Stephen Hilt, Principal Threat Researcher at TrendAI.

“Unlike a credit card, a patient’s diagnoses, treatment history or biometric data cannot simply be cancelled and reissued, which makes healthcare organisations uniquely attractive to ransomware groups and data brokers.”

The research documents a segmented criminal supply chain. Initial access brokers sell network entry points for as little as $US100, feeding ransomware-as-a-service operations including LockBit 5.0, RansomHub, Rhysida and Akira.

Pricing follows a clear hierarchy. Small clinic datasets sell for between $US65 and $US400, while bulk medical databases command $US1,000 to $US8,000. Ransom demands against healthcare organisations reach $US500,000.

Fake medical documentation, including fraudulent doctor’s notes, disability certifications and sick leave paperwork, sells from $US25.

A key finding for governance and risk teams is the growing targeting of electronic health record (EHR) and electronic medical record (EMR) software vendors. Compromising a single vendor can expose data from hundreds of downstream healthcare practices.

“What we’re seeing is not isolated cybercrime but a mature underground economy built around healthcare,” said Numaan Huq, Senior Threat Researcher at TrendAI.

“Initial access brokers, ransomware affiliates, credential sellers and fraud specialists now operate as part of an interconnected supply chain designed to monetise patient data repeatedly and at scale.”

Leak activity is heavily concentrated. Rhysida accounted for 40.4% of published healthcare data and Interlock 28.1%, a combined 68.5% of all leaks across 95 ransomware blogs.

The market is global and multilingual. English dominates at 63.3% of marketplace activity, followed by Turkish at 13.9% and Portuguese at 11.2%, while Russian-language forums account for just 3%.

The report recommends organisations map their attack surface, monitor for stolen credentials and unusual data flows, and treat vendor risk as a continuous discipline rather than an annual review.

The full report, The Cybercriminal Underground: Mapping the Healthcare Data Economy, is available here.