The Top Healthcare Cybersecurity Threats in the Dark Web

In this post we share the important role dark web monitoring has in identifying top healthcare and pharma companies cybersecurity threats for analytical solutions like MediaSonar . Learn more about these cybersecurity threats from the recent webinar we had with them here.

Unfortunately, cybersecurity threats today have become a widespread occurrence across almost every industry. When attackers hit the healthcare industry, though, it has a heightened level of seriousness since it can threaten human life. 

That’s why it’s even more concerning that in the past few years the number of cybersecurity attacks healthcare organizations experience has dramatically increased. More than 93% of healthcare organizations have experienced a data breach between 2017 and 2020. That means that 5 hospitals a day are impacted by a data breach and each hospital now experiences one every year. 

1) Data Breaches of Healthcare and Pharma Companies

The healthcare industry experienced a 55% increase in data breaches from 2019 to 2020. The cost of each data breach also rose by an average of 10%. 

After conducting a quick investigation of two recent Pfizer leaks, we were able to find two different publications of data breaches from a well-known hacking forum from last January. 

Pfizer database breach

The first leak was a partial leak of documents from the Pfizer-BioNTech COVID-19 vaccine stolen in a cyberattack in early December. The threat actors accessed Word documents, PDFs, email screenshots, PowerPoint presentations and even peer reviews of the Pfizer company. These documents were part of a joint effort with the European Medicines Agency (EMA) and related to the development and trials of the COVID-19 vaccine. We discovered this leak of sensitive information in RaidForums, a high profile hacking forum. 

pfizer leak 1
Pfizer database leak in the dark web (Source: Media Sonar platform)

The second example is of leaked Excel sheets of sales Pfizer made with different companies. The data includes the customer names, purchase IDs and purchase amounts of the sales. In this case the data was also shared in Raidforums.

Pfizer leak 2
Pfizer database leak in the dark web (Source: Media Sonar platform)

This leak is a classic example of the risk posed by these pharmaceutical companies to its third-parties. It’s not only Pfizer that is affected by the data leak, it also affects the customers listed on this Excel document. That’s why it’s important for third parties dealing with healthcare and pharmaceutical organizations to also be aware of these types of data breaches as well.

2) The Widespread Distribution of a Database

It’s not just the exposure and breach of established medical and healthcare organizations that is so harmful. It’s the distribution of these databases that are often sold in dark web marketplaces, sites, forums and chat applications. 

Another reason for healthcare and pharmaceutical companies to fear the exposure of a medical database is that malicious threat actors can use patient records to commit medical insurance and identity fraud. 

Sale of medical and healthcare insurance documents

This example shows a post from an actor selling 120,000 medical and healthcare insurance documents.

sale of med and heatlh
Post selling medical and healthcare insurance documents (Source: Media Sonar platform)

Medical and healthcare organizations that want to keep their patient data protected need to continuously monitor the deep and dark web for database leaks and malicious actors distributing them.

3) Ransomware Attacks on Pharma and Healthcare Companies

Ransomware accounts for 28% of targeted attacks in the healthcare industry. Since healthcare organizations often rely on third parties, ransomware attacks can create a cascading effect, completely halting the hospitals’ ability to take inventory and stock essential medical supplies and equipment.

Egregor ransomware

In these two examples are posts from the Egregor ransomware that attacked Dr. reddy’s laboratories. The data was published in a designated website accessible to the public. Unfortunately, this attack was so successful that Dr. reddy’s laboratories had to temporarily discontinue its trial of the COVID vaccine it was conducting jointly with Sputnik. 

dr reddy 1
Ransomware attack of Dr. reddy’s laboratories from Egregor (Source: Media Sonar platform)
egregor 2
Ransomware attack of Dr. reddy’s laboratories from Egregor (Source: Media Sonar platform)

We were also able to find posts referring to recent ransomware attacks on two additional US healthcare organizations: Beacon Health Solutions and Nocona General Hospital.

4) Vaccine Trafficking

Since last April, the trafficking of vaccines has become extremely popular on the dark web. At we found both posts of smaller amounts of shots from Pfizer, Moderna, Johnson & Johnson and Sputnik as well as larger numbers of shots for sale in the dark web. Medical and healthcare organizations can use MediaSonar’s analytics and monitoring solution, for example, to keep track of posts related to vaccine trafficking. In some cases it can use additional analytic tools such as Pathfinder to employ threat actor profiling and identify the threat actors behind the post.

Sale of Pfizer, Moderna, Johnson & Johnson and Sputnik vaccines

Here are three examples of vaccine trafficking posts we were able to locate.  

vaccine 1
Moderna vaccine trafficking post found in the dark web (Source: Media Sonar platform)
vaccine 2
Sputnik vaccine trafficking post found in the dark web (Source: Media Sonar platform)
vaccine 3
Pfizer vaccine trafficking post found in the dark web (Source: Media Sonar platform)

The original pharmaceutical companies are responsible for the distribution of these vaccinations, whether illicitly sold or completely fake. If real vaccines are being sold outside of the company’s knowledge, they need to know about it. The same is true for fake vaccines, although these can cause both irreparable damage to their brands as well as serious harm to the individuals receiving them.

5) The Human Factor

Phishing attacks are often used to infiltrate a healthcare or pharma company’s network or sensitive data. Phishing is responsible for initiating 90% of cyberattacks. At the same time, however, 24% of healthcare employees feel that they have never received cybersecurity awareness training, but felt that they should have.

Phishing scams

Here is an example of a phishing scam we detected are directly related to COVID vaccines. This specific phishing campaign is done through SMS messages, as mentioned in the title.

phishing scams
Phishing scam related to COVID vaccine (Source: Media Sonar platform)

The ExecuPharm data leak from this year that was announced to the public in April 2020 originated from a phishing email targeted at employees. Continuous monitoring of these types of data leaks is crucial since data from older leaks can be reshared continually in different forums. 

The link in the email helped the attacks obtain access to the organization’s data. We were able to find data from the ExecuPharm data leak shared in various hacking forums from January of this year. Awareness of the different risks and forms of phishing attempts – for both companies and their employees – are the first defense line for those that wish to avoid such incidents.

execupharm data leak
ExecuPharm data leak (Source: Media Sonar platform)

The Rising Opportunity Cost of Healthcare Cybersecurity Threats

Most healthcare data breaches in the United States have a hefty price tag of $7.13 million on average. These costs include a loss in revenue, time, and the payment of regulatory fines. The attack on the Universal Health Services(UHS) last year, for example, is estimated to have cost $67 million in lost revenues and costs. 

These estimates include various regulatory fines depending on the industry. For instance, Payment Card Industry (PCI) fines range from $5,000 to $100,000 a month for companies that store credit card data until the merchants comply with the regulations. Health Insurance Portability and Accountability Act (HIPAA) fines range from $100 to $50,000 per violation for companies with healthcare and medical records. 

But it’s not just a loss of revenue that damages healthcare companies. It’s also the damage to their reputation and the equipment and medical staff that could have been bought or hired with this money. 

Dark Web Monitoring and Awareness is the First Step

The good news is that even though dark web threats to healthcare and pharmaceutical organizations are rising, more solutions are being developed to identify and mitigate them. Monitoring these threats is the first step for these organizations to gain greater awareness. Once they are fully understood, various steps can be taken to mitigate or prevent them. 

Want to learn more about how you can deliver healthcare organizations dark web data to help defend them against dark web threats? Contact our data experts today!


Subscribe to our newsletter for more news and updates!

By submitting you agree to's Privacy Policy and further marketing communications.

Ready to Explore Web Data at Scale?

Speak with a data expert to learn more about’s solutions
Create your API account and get instant access to millions of web sources