A Finnish psychotherapy center fell victim to a data breach, with hackers demanding 40 bitcoins or €450,000 ransom for keeping patient record safe.
Vastaamo is a private company with 22 locations across Finland. With more than 40,000 patients, the center is known to be a huge psychotherapy firm in the country. It also operates as a sub-contractor for Finland’s public health system.
Hackers stole plenty of patient records during two attacks, which started almost two years ago. The Finnish Cyber Security Centre and National Bureau of Investigation mounted a series of investigations to see the weak areas of the center’s security.
Security expert Mikko Hypponen said there’s no ransomware or encryption involved, and hackers are only blackmailing with stolen health data. It’s unclear how the attacker managed to access the information from the Vastaamo clinic.
Initial investigation shows that the police allow the clinic to contact the affected parties on Oct. 21, as the blackmailer released some patient information the morning after. On Oct. 24, the hacker already directs its attention to the affected individuals and demand a ransom of €200 and €500.
About 200 patients received the email and Vastaamo instructed not to pay for anything. This is part of the protocols set by the clinic’s authorities, citing uncertainty whether the attacker is the same person as the sender of the email.
One thing’s sure about this data breach, the information collected by hacker includes personal and health information. From therapist session notes, dates of visits, care plans, management goals and statements, diagnoses, diaries, and contact information.
Investigators are seeing possible leaks from the customer register, with data tampered with from the end of November 2018 to March 2019. The experts also reported a 10-gigabyte data file, which contains personal information of patients and notes of their therapists.
Failing Security Systems
It’s later found out that Vastaamo CEO Ville Tapio knew about the shortcomings of the data security systems but failed to do some actions. Upon learning this news, the board of the private health services decided to dismiss Tapio and chair Tuomas Kahri took charge, along with the management team.
The current board and principal owner weren’t informed of the March 2019 data breach or the security weaknesses. Hence, they began filing legal proceedings.
Cybersecurity company DVV said this massive breach could’ve been avoided if the management has taken better encryption. “Management needs to wake up,” said DVV head of digital services Kimmo Rousku.
