New research analysing underground cybercrime activity has found that healthcare data has become one of the most consistently traded assets on illicit marketplaces, with ransomware-related data sales accounting for more than a third of activity over the past year.

The analysis examined 7,779 underground forum posts, 21,813 marketplace listings and 95 ransomware leak sites linked to healthcare-related cybercrime over a 12-month period. It found that ransomware-related data sales made up 36.3 per cent of marketplace activity, as attackers increasingly combine data theft with encryption and extortion rather than relying on one tactic alone.

Records that never expire

Takanori Nishiyama, Senior Vice President for APAC and Japan Country Manager at Keeper Security, said the findings reinforce a hard truth for cyber defenders across the region: patient records have evolved into durable criminal assets that cannot be cancelled and reissued the way a credit card can. He noted that ransomware incidents against Australian healthcare providers have doubled in recent years, and that a sharpening focus on electronic health record vendors means a single supplier compromise can spread across hundreds of providers sharing the same platform.

“Healthcare records stay valuable for years, fuelling identity theft, extortion and credential abuse across an organized market of access brokers, ransomware affiliates and fraud sellers around the world,” said Nishiyama.

AI is sharpening both sides of the fight

Nishiyama said healthcare environments combine high-value data, ageing infrastructure, distributed third-party vendors and constrained budgets — conditions that traditional perimeter defences were never built to contain. As both defenders and attackers adopt AI tools, he said the risk is intensifying: defenders gain faster detection and response times, while attackers use AI to increase the speed and scale of their campaigns.

To close the gap, Nishiyama recommended healthcare organisations adopt a zero-trust security model built on least-privileged access, including a Privileged Access Management solution to control, monitor and restrict access to critical systems and patient data. Securing privileged accounts, enabling real-time monitoring and enforcing role-based access controls can reduce the blast radius of an attack even when a breach does occur, he said, alongside ongoing user education and regular access audits to keep policies aligned with healthcare compliance requirements.

The findings add to a growing body of evidence that healthcare remains one of the most targeted sectors for cybercriminals across Asia-Pacific, where ageing hospital IT systems and fragmented vendor ecosystems often lag behind the security investments seen in financial services and government.