Several Finnish Patients Blackmailed Following Therapy Center’s Data Breach

An unknown extortionist is blackmailing hundreds of patients following a data breach. The patients are clients of Vastaamo, a Finnish company that operates approximately 25 privately-run psychotherapy centers across the country. Over the weekend, Finland’s Interior Minister confirmed that the police, Interpol and Europol are working together on the investigation. Meanwhile, the extortionist has already leaked sensitive data of about 300 patients – including minors – and is threatening to disclose more.

Data Breach Years Old

Information about the blackmail became known to Vastaamo towards the end of September, after three Vastaamo employees received a blackmail message from an unknown person. The extortionist demanded 40 bitcoins (over $500,000) in exchange for not releasing stolen patient records. Vastaamo immediately reported the matter to the police. They also notified the Finnish Cyber Security Center, the national agency Valvira and the Data Protection Commissioner.

Next, they hired Nixu Cybersecurity to investigate the hack. Nixu discovered that the hack, which likely led to the theft of the customer database, had taken place in November 2018. In fact, hackers accessed Vastaamo’s systems again in March 2019. Personal information about patients may have been viewed or copied at that time.

Apparently, the company’s current board of directors and its current major stakeholder were not aware of the previous security incidents. They also did not know that the company had dealt with information security vulnerabilities in the past. Or that they had to strengthen their systems in response to the March 2019 hack. Nixu’s investigation is still ongoing.

Patient Records Up for Grabs

When the extortionist, who calls himself “ransom_man”, did not get the desired response from Vastaamo’s employees, he approached patients directly. Since September, the extortionist has sent hundreds of emails to patients. In these emails, he asks them to pay $250 to $500 worth in bitcoin (with prices doubling after 24h) to have their private data permanently deleted. Otherwise, he would “make the content of their conversations with their therapist public”, threatened ransom_man.

Although Vastaamo is a private company, the scale of the case and the threats to individual victims have touched the country as a whole. The hack has also outraged Finnish politicians. “This is a serious, outrageous and cowardly attack”, said Interior Minister Maria Ohisalo. According to the Minister, Finland should be a country where “help for mental health problems is available, and where you can access it without fear”.

Last Friday, the cybercriminal leaked sensitive data of about 300 patients – including some minors – on an encrypted Tor network. The information included names, personal identification numbers, telephone numbers, email addresses as well as residential addresses. What’s worse, the contents of patients’ therapy sessions were also disclosed. Thousands of concerned patients have already filed a complaint for invasion of privacy.

Help and Free Therapy for Victims

“We are extremely sorry for our customers and employees and we also want to offer them more support in the midst of the situation”, Vastaamo said in a statement on their website. They urge customers and employees to contact the police when they receive a blackmail message. The company also opened a separate helpline. Moreover, they are offering clients who have fallen victim to blackmail, a free, unrecorded therapy session.

The Finnish government met over the weekend and launched a website for victims of the cyberattack. On the website, the government gives advice and emphasizes that victims should not respond to the ransom demand. “Don’t communicate with the blackmailers. The data has most likely been leaked elsewhere”, it said.

Victim Support Finland, which offers victims support information for free, warned that “it is important to act quickly” as soon as personal details have been published or when falling victim to blackmail. “Contact the police, seek help and take the recommended steps” to avoid falling victim to, for example, phishing and identity theft.