Stolen Medical Records Fuel a Black Market of Fraud, Identity Theft, and Patient Harm

By Adrian Cheek, Senior Cybercrime Researcher

Imagine losing your wallet or purse and then someone uses your identity to steal cars, rack up hospital bills, and receive medical procedures under your name. Years later, you discover that a stranger’s blood type is recorded in your chart. You cannot undo it. You cannot reset your medical history the way you cancel a credit card. This story is not an outlier. It is what happens when an underreported problem goes unchecked: what happens after a healthcare data breach, when millions of stolen medical records enter a thriving gray-market economy and are used against the same patients they belong to.

The headlines tend to focus on the breach itself, the number of records exposed, the ransomware demand, and the corporate apology. What almost never gets traced is the downstream journey of that data: who buys it, how it is repackaged, and the actual damage done to patients. This Flare investigation follows that trail.

Key Findings About the Medical Record Black Market

• More than 276 million patient records were compromised in the United States in 2024 alone, a 64% increase over the prior year. Roughly four out of five Americans had personal health information exposed in a single calendar year.
• Medical records command premium prices. On underground markets Flare monitors, a complete medical record sells for $250 to $1,000, compared to as little as $5 for a stolen credit card number. The price gap reflects the record’s completeness, permanence, and fraud versatility.
• Downstream harm is severe and largely untracked. The average victim of medical identity theft spends more than 200 hours and approximately $13,500 attempting to repair the damage. Only 10% achieve a satisfactory resolution.
• No federal law requires healthcare organizations to track whether stolen data is subsequently used for fraud. The full lifecycle from breach to exploitation to patient harm is never systematically measured.
• The gray-market data broker industry accelerates exploitation. Criminals merge breached health records with legally collected consumer data to build comprehensive identity fraud kits, and AI is now automating this process at scale.

The Scale of the Hemorrhage

The numbers keep getting worse. In 2024, research shows more than 276 million patient records were compromised in the United States alone, a 64% increase over the prior year’s already record-setting total. That figure means roughly four out of five Americans had some form of personal health information exposed in a single calendar year, according to data reported to the Department of Health and Human Services’ Office for Civil Rights. Healthcare has been the costliest industry for data breaches for fourteen consecutive years, with the average incident now running close to $10 million.

The 2024 ransomware attack on UnitedHealth Group’s Change Healthcare unit was the worst single incident on record, compromising an estimated 193 million individuals and crippling US claims processing and pharmacy operations for weeks. In 2025, though no single breach matched that scale, the breaches kept coming: Yale New Haven Health lost data on 5.6 million patients, Aflac disclosed a breach affecting 13 million, and the business associate Conduent exposed records potentially numbering in the tens of millions. In total, the HHS breach portal logged more than 600 large healthcare breaches in 2025 affecting at least 57 million people, with the true figure likely higher due to reporting backlogs caused by a multiday federal government shutdown.

Why a Medical Record Is Worth More Than a Credit Card

On underground markets that Flare monitors, a single complete medical record sells for between $250 and $1,000. A stolen credit card number, by contrast, fetches as little as $5. The price gap comes down to completeness and shelf life. 

A health record typically contains a patient’s full name, date of birth, Social Security number, home address, insurance policy details, diagnoses, prescriptions, and treatment history, everything a threat actor needs to construct a convincing false identity. And unlike a credit card, which can be canceled in minutes, a medical record cannot be revoked or reset. Your diagnoses, your blood type, your insurance ID, these follow you permanently.

Telegram post showing “fullz” for sale, including medical records (Flare link to post, sign up for the free trial to access if you aren’t already a customer)

This creates what researchers have termed “long-tail fraud:” exploitation that can recur for years or even decades after a single breach. Criminals use the stolen profiles to file bogus insurance claims, obtain prescription medications, open fraudulent credit lines, apply for loans, and even receive medical treatment under another person’s name. Each use further corrupts the victim’s records, making the problem harder to fix with each passing month.

The Broker Pipeline: From Breach to Exploitation

The journey from data breach to patient harm passes through several hands. Immediately after a breach, raw data is typically posted for sale on dark web marketplaces, sometimes within days. In one famous documented case, a hacker, named “TheDarkOverlord” offered an entire hospital’s database of 397,000 patient records for $26,000, a bulk discount designed to move stolen goods quickly. 

Organized criminal groups then purchase these datasets and process them, combining breached health records with information scraped from legitimate data brokers and people-search sites to create what the underground calls “fullz”: comprehensive identity kits that include verified addresses, family connections, employment history, and financial details alongside the medical data.

The gray-market data broker industry accelerates this process. Companies that legally collect, aggregate, and sell consumer data, (addresses, phone numbers, family relationships, purchasing habits), fill in the gaps that turn a stolen medical record into a ready-made fraud kit. Criminals are now using AI to automate the process of merging brokered data with breached records, building convincing impersonations at scale. 

The TransUnion breach in July 2025, which compromised 4.4 million consumer profiles, and the re-emergence of the once-shuttered National Public Data platform show how thin the line has become between the legitimate data economy and the criminal one.

BreachForums post asking for a TransUnion repost (Flare link to post, sign up for the free trial to access if you aren’t already a customer)

The Harm No One Tracks

For victims, the consequences are serious and hard to resolve. Studies from the Ponemon Institute found that the average victim of medical identity theft spent more than 200 hours and approximately $13,500 trying to repair the damage. Only 10% of victims surveyed achieved what they considered a satisfactory resolution. 89% reported reputational harm, often from having sensitive medical conditions disclosed to employers or other third parties. Almost 20% believed they had missed career opportunities as a result.

Medical identity theft carries risks that go beyond financial loss. When someone receives medical treatment under a stolen identity, the imposter’s medical information, blood type, allergies, medications, diagnoses, can become commingled with the victim’s records. That mix-up is dangerous: a misrecorded allergy or blood type could prove life-threatening in an emergency. And because healthcare fraud is far harder to detect than credit card fraud, victims often do not discover the problem for months, typically only when they receive an unexpected bill, a collection notice, or encounter an error during their own medical care.

In 2024, the FTC received more than 10,000 reports of medical identity theft. Healthcare identity fraud is estimated to cost the industry upward of $5 billion annually. Yet these figures almost certainly undercount the problem, since many victims never realize what has happened, and those who do face a slow, confusing process to correct their records across insurers, hospitals, and credit bureaus.

A Regulatory Blind Spot

What stands out most is the gap between where responsibility for a breach ends and where accountability for downstream harm begins. HIPAA requires covered entities to notify affected individuals after a breach, but the obligation essentially stops there. No federal law requires healthcare organizations to track whether stolen data is subsequently used for fraud. No agency systematically monitors the downstream exploitation of breached medical records. The result is that the full lifecycle of a healthcare data breach, from theft to brokering to exploitation to patient harm, is never measured and rarely studied.

The data broker industry operates under a completely different set of rules. While a handful of states have begun passing broker registration and data minimization laws, there is no single federal law controlling how consumer data is collected, combined, or resold. This means the same personal information that a hospital is required to protect under HIPAA can be legally collected and sold by a data broker with none of the same protections. Criminals have figured this out.

Some cyber experts argue that transparency itself is a form of defense. Research from Patient Protect’s Healthcare Transparency Index suggests that faster, more detailed breach disclosure correlates with lower black-market prices for stolen records, the logic being that data known to be compromised is less valuable to criminals because institutions and patients are more likely to have taken protective measures. Every day of delayed disclosure, by this reasoning, is a day that stolen identities are monetized unchecked.

Following the Data

The healthcare industry’s cybersecurity conversation remains largely focused on prevention: better firewalls, stronger authentication, and faster patching. All of that matters. But none of it does anything for the hundreds of millions of records already circulating in criminal markets, nor for the patients whose stolen data is being repackaged and sold at this moment through a pipeline that connects dark web forums to gray-market brokers to the fraudster who will use it to file a fake insurance claim, obtain a prescription, or open a credit line. 

Regulators, healthcare organizations, and the data broker industry must deal with what happens after a breach, with not just the initial theft, but the brokering, the exploitation, and the lasting harm to real people. Our example is not unusual. For millions of Americans whose medical records have been stolen and sold, it is more likely their future, too.