Medical records are a constant target of hackers – this is why

Features
By
published

What makes your medical data such a tempting target?

Two doctors looking at patient data on digital tablet
(Image credit: Getty Images)

The transition from paper to digital systems has been massive for healthcare organizations. The fact that medical records can be accessed (and updated) anywhere, anytime allows for improved coordination between hospitals, clinics, and specialists.

At the same time, however, storing this valuable data digitally has its challenges, not least the risk of hacks and data breaches. Hospitals, clinics, and health insurance companies aren’t immune to these threats. In fact, the sheer amount of sensitive data they hold makes them prime targets for bad actors.

Research from the HIPAA Journal shows that data breaches are on the rise. In 2022, there were 720 breaches involving more than 500 records – a figure that rose to 725 in 2023, exposing a total of 133 million records. One such breach, reported in 2024, saw Change Healthcare targeted in a ransomware attack believed to have impacted 100 million individuals.

It’s with this in mind that I’ll explore the three main reasons why hackers target medical records and, crucially, what you can do to protect your data.

Reason #1: medical data is valuable

It goes without saying that healthcare organizations such as hospitals deal with huge quantities of data. Every time a new patient is admitted, so too is valuable data such as their name, address, social security number, medical history, and health insurance details. This medical data has value in a monetary sense as well as an ethical one.

When you take this into account, it’s clear that we're not talking about tens or hundreds of thousands of records – but millions, all stored in a single system. These detailed records can easily be monetized by those who have the means as well as the know-how.

These detailed records can easily be monetized by those who have the means as well as the know-how.

It's not like you can cut off or replace these records, either, like you can if your credit card number gets stolen. Permanent details like your social security number are valuable because they can be used for long-term fraud.

In fact, a cybercriminal has all sorts of available avenues when it comes to monetizing your stolen records. The most obvious of which involves selling the data on the dark web. Stolen data can also be used for all kinds of criminal activities including identity theft, medical fraud, or even for stalking and harassment campaigns.

Healthcare organizations are often targeted in ransomware attacks due to the fact that they rely so heavily on access to their systems and the data in question.

Indeed, if a hacker conducts a successful ransomware attack and gets their hands on medical data, the organization to which it belongs might just pay the ransom because of the sensitive nature of the records.

Reason #2: reliance on unsecure networks

Hackers know that some healthcare organizations can and will fall behind when it comes to maintaining the security of their systems.

A reliance on unsecure (or simply outdated networks) can leave these systems and the data they hold vulnerable to attack.

For example, a hospital may continue to use legacy systems that are no longer supported with security updates. There can be various reasons for this, be it due to their compatibility with medical devices or because of the time and cost required to upgrade.

It’s not just the direct vulnerabilities of a hospital’s systems either. If anything, there’s a broader ecosystem of risks which includes external influences. These risks include staff members who connect unsecure devices to a health organization’s network.

It's also worth noting that medical devices, like heart monitors and imaging systems, can connect to the network and create additional entry points for hackers. Third-party vendors who work with healthcare organizations also pose a risk if their own networks aren’t properly secured.

Reason #3: medical information needs to be shared

Treating patients is a team effort – and medical information needs to be shared across teams, specialists, and sometimes organizations. In fact, the sharing of medical information can extend even further beyond this to insurers, researchers, and even patients themselves.

The necessity of sharing medical data, and the data's valuable nature, makes it a constant target for hackers.

Unfortunately, this makes it an easier target for hackers, who can lay in wait until a prime opportunity to intercept that data arises.

The more frequently data is shared, and the more organizations that it's shared between, increases the data's exposure. In turn, this heightens the risk of the data becoming compromised.

The urgency of a hospital environment can affect the privacy of data, too, with immediate access sometimes becoming more of a priority than best security practices.

What can you do to secure your data?

Unfortunately, you and I don't have a lot of control over how healthcare organizations manage their systems. Still, there are a few things you can do to ensure that your data is as safe as it can be on your own devices:

  • Use a VPN: today's best VPNs encrypt your internet traffic and make it unreadable to any third-party snoopers – including greedy cybercriminals. This ensures that all your data, including the personal stuff, is beyond the reach of anyone trying to monetize it.
  • Use multi-factor authentication: make sure you have enabled two-factor authentication (2FA) or multi-factor authentication (MFA) on all of your online accounts that allow it, especially those that contain sensitive data. MFA requires you to prove multiple forms of verification to access an account – reducing the risk of unauthorized access.
  • Keep devices updated: these updates contain important security patches for your devices – so don't leave them hanging. They'll make sure that vulnerabilities are squashed that, if left unchecked, could result in your data being caught up in breaches.
  • Don’t reuse passwords: you can help prevent potential credential stuffing attacks by using strong, unique passwords for each of your accounts. Try to avoid using personal information (no pet’s names!) and common phrases. Instead, use a mix of upper and lowercase characters, numbers, and symbols. The best password managers can help you remember them, too.
  • Don’t click on suspicious links: phishing attacks impersonate people, apps, and organizations you trust, including healthcare services. The bad actor behind a phishing attack might send you a message (via email or SMS) that looks legitimate – and urgent. The aim is to get you to click on a suspicious link and hand over your personal details that they'll then use for their own nefarious ends.
Mark Gill
Mark Gill
Tech Security Writer

Mark is a Tech Security Writer for TechRadar and has been published on Comparitech and IGN. He graduated with a degree in English and Journalism from the University of Lincoln and spent several years teaching English as a foreign language in Spain. The Facebook-Cambridge Analytica data scandal sparked Mark’s interest in online privacy, leading him to write hundreds of articles on VPNs, antivirus software, password managers, and other cybersecurity topics. He recently completed the Google Cybersecurity Certificate, and when he's not studying for the CompTIA Security+ exam, Mark can be found agonizing over his fantasy football team selections, watching the Detroit Lions, and battling bugs and bots in Helldivers 2.

Read more
healthcare
Over a million clinical records exposed in data breach
healthcare
US government wants to toughen up cybersecurity rules for healthcare organizations
Illustration of a thief escaping with a white fingerprint
5 massive privacy scandals that rocked the world – and made millions of victims
ID theft
Over a million patients potentially hit after another US healthcare provider hit by cyberattack
Photograph of a woman in workout gear sat on a yoga mat whilst using a smartphone to check out a fitness app
Work up a sweat without exposing your personal data – here's how to safely use fitness apps
Cartoon illustration of multiple smartphones
Are you oversharing? These are the 10 pieces of information you don't want to give away – ranked
Latest in VPN Privacy & Security
PrivadoVPN running on an iPhone during TechRadar's VPN tests
Why PrivadoVPN Free is still a stellar option for streaming
In this photo illustration a Google Play logo seen displayed on a smartphone.
Why is there so much spyware hidden in the Play Store?
PrivadoVPN running on an iPhone during TechRadar's VPN tests
Why PrivadoVPN Free is still the best free VPN for streaming
Homepage of CloudFlare website on the display of PC, url - CloudFlare.com.
"Network blocking is never going to be the solution" – Cloudflare slams anti-piracy tactics
Panels at RightsCon 2025 during a press briefing about the latest Access Now report of internet shutdowns
2024 was the worst year on record for internet freedoms – again
Vector illustration of the word Censored in a glitch distorted style
Google, Apple, and internet restriction – how Big Tech is making censorship "much worse" according to experts
Latest in Features
Willem Dafoe in Mississippi Burning
5 great free movies to stream on Tubi, Pluto TV, Plex and more this week (March 10)
Pictory
What is Pictory: Everything we know about this business-focussed AI video generator
Indy the Dog sitting in front of the TV
South by Southwest has given me 4 new horror movies to look forward to, including one from a dog's perspective
Paul Rudd on the ground looking up at a unicorn, whose legs are visible
I've added 5 new movies and TV shows to my watchlist after they premiered at South by Southwest 2025
A toy Amazon Echo next to the Alexa Plus logo and a range of Echo devices
What is Alexa+: Amazon’s next-generation assistant is powered by generative-AI
Seth Rogen as Matt Remick looking worried in The Studio.
The Studio already has 100% on Rotten Tomatoes – here are 3 more highly-rated comedies to watch before it's released on Apple TV+
More about vpn privacy security
PrivadoVPN running on an iPhone during TechRadar's VPN tests

Why PrivadoVPN Free is still a stellar option for streaming
In this photo illustration a Google Play logo seen displayed on a smartphone.

Why is there so much spyware hidden in the Play Store?
Netflix

Netflix tried to fix 80s sitcom A Different World with AI but it gave us a different nightmare
See more latest
Most Popular
Indy the Dog sitting in front of the TV
South by Southwest has given me 4 new horror movies to look forward to, including one from a dog's perspective
Pictory
What is Pictory: Everything we know about this business-focussed AI video generator
A group of people, including Rand and Moiraine, standing on a sandy cliff in The Wheel of Time season 3
'It's bigger, bolder, and bleaker': The Wheel of Time season 3 cast teases what to expect from the Prime Video show's most daunting chapter yet
Willem Dafoe in Mississippi Burning
5 great free movies to stream on Tubi, Pluto TV, Plex and more this week (March 10)
Seth Rogen as Matt Remick looking worried in The Studio.
The Studio already has 100% on Rotten Tomatoes – here are 3 more highly-rated comedies to watch before it's released on Apple TV+
A toy Amazon Echo next to the Alexa Plus logo and a range of Echo devices
What is Alexa+: Amazon’s next-generation assistant is powered by generative-AI
Paul Rudd on the ground looking up at a unicorn, whose legs are visible
I've added 5 new movies and TV shows to my watchlist after they premiered at South by Southwest 2025
PrivadoVPN running on an iPhone during TechRadar's VPN tests
Why PrivadoVPN Free is still a stellar option for streaming
Padlock against circuit board/cybersecurity background
Kali laid bare: the most famous Linux hacking distro of all time
Image of GTA 6 protagonists and PS5
GTA 6's console-only launch reminds me of how much I despise console exclusivity - is it worth waiting years for PC ports?