Share this article on:
A major psychotherapy provider in Finland has suffered a cyberattack in which highly sensitive patient data were stolen. Threats have been issued to publish the stolen data if the ransom is not paid and some patient data has already been leaked online.
Vastaamo serves approximately 40,000 patients across more than two dozen clinics in Finland. Vastaamo started alerting patients about a data breach last week after three of its employees were contacted by an individual who demanded payment of 40 Bitcoin ($500,000) to prevent the publication of stolen patient data.
It is not only Vastaamo that has received ransom demands. After Vastaamo refused to pay the ransom, the attacker – who refers to himself/themselves as “the ransom guy” – also sent individual ransom demands to patients telling them to make a payment of €200 ($236) in Bitcoin to prevent the publication of their records. Initial reports suggested the data of approximately 300 patients were published on a dark net site, although later reports indicate a 10GB file containing the records of around 2,000 patients was uploaded to the dark web.
One patient contacted by the BBC claims he was given 24 hours to pay the initial ransom demand or face the publication of his teenage psychotherapy notes. He was told the payment would increase to €500 ($515) if it was not paid within 24 hours.
Vastaamo reported on its website that access to its systems appeared to have been gained at some point in November 2018; however, a further breach occurred in March 2019. The data stolen in the attack appears to relate to patients who received treatment prior to November 2018, although it is possible that data were stolen in the second breach in March 2019.
According to Vastaamo, the breach involved customer names, ID numbers, dates of visits, and information manually entered by the psychotherapy professional, which may have included notes from sessions, care plans, and statements made to the authorities or by the patients themselves.
It is currently unclear how many of Vastaamo’s patients have been impacted by the breach, although Robin Lardot, director of Finland’s National Bureau of Investigation, believes tens of thousands of patient records were stolen. It is also unclear why the threats have only just been issued. Potentially, the stolen records could have been sold on to a third party who has embarked on an extortion campaign.
Notes from psychotherapy sessions are among the most sensitive data held by healthcare providers. Patients discuss issues in their sessions in a confidential environment where they feel safe and secure. Information disclosed in sessions may not have been shared with anyone else. Finland’s interior minister called the incident “a shocking act which hits all of us deep down,” going on to say that Finland needs to be a country where “help for mental health issues is available and it can be accessed without fear.”
“As a company providing psychotherapy services, the confidentiality of customer information is extremely important to us and the starting point for all our operations. We deeply regret the leak due to the data breach” said Vastaamo Chairman, Tuomas Kahri. Vastaamo also issued a statement saying it has fired its CEO, Ville Tapio, for concealing the March 2019 breach from its board of directors and parent company.