Your Medical Records Could Be Sold on Black Market

NBC Investigative Unit surprises strangers with private medical details

Your doctor’s name, your past illnesses and medical history, even the kind of medicine you take—these are the types of personal details for sale in a multimillion dollar underground market. NBC Bay Area obtained hundreds of California medical records that were surprisingly accurate.

It’s an eerie proposition: details only you and your doctor should know, bought and sold on an international black market so that medical supply companies can turn a profit by billing your insurance company or Medicare for everything from diabetes medications to wheelchairs.

“Oh it’s a big business,” said the man who sold NBC Bay Area 1,000 medical records from California. The source, whom we’ll call Roberto, is based in Costa Rica. Roberto told us via Skype he obtained the California records from someone in India, and he had access to similar records for people in all 50 states.

“As long as you know how to use a keyboard mouse and speak English you can do this,” Roberto said. He agreed to reveal the secrets of this international black market for medical records as long as NBC Bay Area would not reveal his identity.

The records our source provided contained private details about Californians including:

  • names  
  • addresses
  • insurance and medicare numbers
  • medical conditions
  • doctor’s name
  • how often they used certain medications

The records even listed the person’s “favorite color.”

The Investigative Unit called and visited dozens of people in the Bay Area on the list to ask if the details were correct, and most of the time, they were.

“It makes me feel like I’ve been intruded upon,” said a San Jose woman who confirmed the details listed about her were correct, right down to “green” as her favorite color.

A war veteran, who did not want to be named, told us he began getting a number of calls from telemarketers after his doctor diagnosed him with pre-diabetes. “It’s very disturbing. [I get calls] about diabetic equipment, supplies,” he said. “I’d like to find out where it’s coming from.”

Roberto said often it’s coming from call centers all over the world run by medical supply companies who want to sell things they claim are “free” but later get billed to your health insurance or Medicare, so either you or taxpayers end up paying for those “free” supplies.

“These people only care about billing the insurance company and charging Medicare,” Roberto said. “They can get thousands of dollars per day. My friend who’s doing it over here—he bought a car.”

He said telemarketers will phish over the phone for your medical information, using a pre-written script. “I would go, ‘We just have to verify some of the information here. So what is your name? What is the doctor’s name?’ when we didn’t even have the doctor’s name. We were just saying that. We were actually lying to people,” Roberto said.

“On the black market you can get more for medical info than you can for a social security number,” said Federal Trade Commission attorney Lisa Schifferle. She said information about you can also get leaked by insiders at medical facilities and through hackers who break into online medical records.

Regardless of how the information gets out, it doesn’t just hit the victim’s wallet.

This type of medical identity theft can create major problems down the line. “It may result in denial of health or life insurance,” Schifferle said.

To see if your medical data has been breached, the FTC says ask your health insurance company for an explanation of benefits each year. Then look through it to make sure you haven’t been billed for anything you didn’t order. And if you do go online to check your medical records, make sure you use a secure Internet connection with password protected wifi.

The FTC says here’s 4 steps to take if your medical information has been breached:
1. Contact the credit bureaus and to get your annual credit report at Everyone is entitled to receive one free copy per year.
2. Contact your health insurance provider or the hospital to notify them your medical information has been compromised.
3. File a police report with your local police department
4. File a report at That allows the government to keep track of who has been affected by this form of medical identity theft.

As more hospitals move to online medical record-keeping, consumers also have to do their part to protect their information.

Note from NBC Bay Area: We destroyed all the medical information we obtained to report this story.

Hospital Database (click here)

Enter your hospital name into this database to see if it has suffered a security breach. If it has, be sure to contact your health insurance provider for an explanation of benefits to make sure you aren’t paying for any unexplained charges.

Contact Us