By Andréanne Bergeron, Security Researcher
When security leaders think about data breaches, the instinct is to worry about credit cards, bank accounts, and passwords. Those concerns are legitimate. But our analysis of hundreds of PII price points observed across underground forums and dark web markets tells a different story: personal health data is the most expensive thing a threat actor can buy about your employees or customers, at an estimated $300 per record. This is more than four times the value of bank account credentials, and nearly 17 times that of a credit card number.
This isn’t a marginal difference. It’s a structural feature of how cybercriminals value data. And if you lead security for any organization that touches health information (whether you’re a healthcare provider, insurer, benefits administrator, or HR platform) this finding should recalibrate how you think about your threat surface.
Key Takeaways About the Value of Healthcare Data on the Dark Web
- The premium reflects permanence, not just sensitivity. A compromised credit card can be canceled in hours. A health record containing diagnoses, medications, insurance identifiers, and mental health history reflects facts about a person that cannot be changed. This permanence enables fraud schemes that run for months or years before detection.
- Health data enables multiple compounding attack vectors from a single record. The same stolen health record can support insurance fraud (billing for procedures never performed), prescription fraud, identity theft that is far harder to detect than financial fraud, and targeted extortion using intimate personal information as leverage.
- Regulatory concentration creates high-value targets. HIPAA and equivalent frameworks have pushed health data into a relatively small number of large repositories (EHR platforms, clearinghouses, insurers), meaning a single breach can yield an extraordinarily large number of high-priced records in one event.
Know When Your Organization’s Health Records Surface on Criminal Markets
At $300 per record, health data is the highest-value target in the underground economy. Flare monitors dark web marketplaces, stealer logs, and breach dumps to detect exposed patient and employee health information before it’s monetized.
The Data Behind the Claim
Flare Research analyzed 348 PII price points collected from underground markets, threat actor communications, academic research, and cybersecurity publications to estimate the underground market value of different types of personal data. For a detailed explanation of the methodology, read What is the Cost of Your Data on the Dark Web?
The resulting ranking of PII types based on what threat actors are willing to pay is shown below:
| PII Type | Estimated Price (USD) |
|---|---|
| Personal Health Data | $300.30 |
| Bank PINs | $196.37 |
| Bank Account Numbers | $68.92 |
| Driver’s Licenses | $67.66 |
| License Plates | $62.44 |
| Passport Numbers | $32.95 |
| Social Media Profiles | $27.34 |
| Credit Card Numbers | $17.74 |
As well as being on top of this list, health data leads by a margin that should prompt organizations to fundamentally rethink their data classification and security prioritization.
Why is Health Data Worth So Much?
The answer lies in a combination of permanence, exploitability, and regulatory asymmetry.
First, it cannot be revoked. A compromised credit card gets canceled. A bank account can be frozen. A stolen health record contains diagnosis history, medication lists, insurance identifiers, or mental health records that reflect facts about a person that cannot be changed. That permanence is exactly what makes it valuable to threat actors: the monetization window never closes.
Second, it enables multiple, compounding attack vectors. Health records are rarely used for a single purpose. They support:
- Insurance fraud: Including billing for procedures never performed, or rerouting reimbursements.
- Prescription fraud: They fuel identity theft that is far harder to detect than financial fraud because victims often don’t notice for months or years.
- They also serve as powerful ammunition for targeted extortion like conditions, treatments, and mental health history are deeply personal, and the leverage they provide is significant.
Third, the regulatory environment creates concentrated targets. HIPAA and equivalent frameworks have pushed health data into a relatively small number of large repositories: EHR platforms, clearinghouses, insurers. This concentration makes healthcare organizations high-value targets and means that a single breach can yield an extraordinarily large number of high-priced records in one event.
What This Means for Your Security Program
The market pricing of health data should directly inform two decisions:
1. Data classification needs to reflect market reality.
Many organizations treat health data as sensitive but operationally equivalent to other PII categories. The price differential our data reveals suggests it deserves its own tier with commensurate controls around access, encryption, monitoring, and third-party data sharing agreements. A framework that places health records in the same classification bucket as email addresses or phone numbers is not aligned with how attackers value and target that data.
2. Third-party and supply chain risk is disproportionately concentrated here.
Health data flows through a complex ecosystem: EHR vendors, billing platforms, benefits administrators, wellness apps, and HR systems all touch it. Each of these relationships is a potential exposure point. Credential leaks from third-party vendors are a primary pathway to initial access in healthcare-adjacent breaches. Knowing that the data at the end of that chain is worth $300 per record should sharpen your vendor risk appetite.
The Broader Picture: PII Has a Market, and Health Data Dominates It
The underground economy for personal data is sophisticated, segmented, and efficient. Threat actors don’t steal data indiscriminately: they target, price, and trade it with a logic that mirrors legitimate markets. Our research makes that logic visible.
The key insight for security leaders is not just that health data is valuable. It’s that the gap between health data and every other PII category is large enough to constitute a qualitative difference in risk, not just a quantitative one. Organizations handling health information are operating in a materially different threat landscape than those that are not, facing adversaries with stronger financial incentives, longer exploitation timelines, and more diverse monetization options. Their security investments should reflect that reality.
Know When Your Organization’s Health Records Surface on Criminal Markets
At $300 per record, health data is the highest-value target in the underground economy. Flare monitors dark web marketplaces, stealer logs, and breach dumps to detect exposed patient and employee health information before it’s monetized.
