How Traditional Marketing Principles Hold True in the Black Market: A Look at Stolen Health Care Records

Cyber attacks are a bigger threat today than ever before. An assortment of companies has been targeted in the past two years, including EBay, Target, The Home Depot, the U.S. Postal Service and Sony Pictures. Recently, hackers have stolen the medical records of 80 million Anthem customers and employees. Anthem is not alone: from 2013 to 2014, health care companies saw a 72 percent increase in cyber attacks. Medical records are being sold through illicit websites on the black market. So, what does any of this have to do with marketing?

The medical records of 80 million Anthem customers and employees were recently stolen by cyber-thieves. Source: The Next Web, Inc.
The medical records of 80 million Anthem customers and employees were recently stolen by cyber-thieves.
Source: The Next Web, Inc.

First of all, it is interesting to note how the marketing of goods and services on the black market is so similar to the marketing of mainstream goods and services, from the increasing use of eCommerce to consumer-centric business models. Aside from the fact that websites selling stolen information use unconventional website domains (i.e., sites that end in .su or .so instead of .com and .org), the process for selling stolen information is fairly standard. Hackers advertise what they are selling online and rely on a rating system for validation. Buyers can rate the seller out of five stars.

Additionally, the same components of the value proposition hold true within the black market for medical records. Medical records have greater utility and desirability than credit card numbers for a variety of reasons, thus warranting a greater price. Criminal records can be used longer than credit cards, as credit cards can be cancelled while records cannot be. Credit cards that are known to be stolen are denied and credit card activity is monitored in order to attempt to identify patterns that are indicative of fraud, whereas these types of checks are not performed when someone tries to buy medicine or medical services with stolen medical records. Stolen medical records can also be more lucrative: a criminal can buy information on the black market, fill a prescription, sell the pills for a profit, and then resell the medical information back on the black market.

For these reasons, stolen credit card numbers are typically only sold for $4 or $5 on the street, whereas medical records range from $50-90. According to an article by NPR, one online hacker is setting a “value pack” of 10 people’s Medicare numbers, for $4,700.

In fact, the checks and regulations that limit the use of stolen credit card numbers have helped create the market for stolen health care records because the “need” to access useful stolen information is often no longer being met with credit card numbers alone. In sum, value is greater for medical records than for credit card numbers because the bundle of benefits greater exceeds the costs incurred by the customer in acquiring those benefits.

Finally, President Barack Obama has proposed a data protection act requiring companies to publically disclose they’ve been hacked within 30 days. This will likely have many ramifications for public relations and perception, as companies will be mandated for the first time to disclose that their data has been compromised.

Some hackers extort businesses by going directly to the company they hacked, and letting it know that they have its data and will keep it secret for a price. This serves as an alternative segment of the market to target since hackers can either market and sell the data downstream (to people who want to use it) or upstream (to the companies that it was taken from in the first place). It’s arguably more efficient to sell it upstream as hackers can sell data in bulk and build into the price the cost of a damaged reputation had the breach became public knowledge.

From a marketing management perspective here are some questions to consider:

  • What do you believe Anthem’s next steps should be in terms of marketing message? Discuss your opinion of how Anthem is handling the situation.
  • Consider the healthcare industry. Are consumers likely to switch health care providers following a security breach such as that experienced by Anthem? Why or why not?
  • In general, how can companies conduct “damage control” following security breaches to improve their public image?