Finnish Psychotherapy Center Hacked, Patient Data Leaked on the Darknet
Hackers are demanding a ransom of about $500,000 from the management of Vastaamo, a major network of psychotherapy clinics in Finland. Since Vastaamo is a nationwide medical network with more than a dozen branches, the data of tens of thousands of patients is at risk. Worse yet, confidential patient information has already been partially published on the darknet, and some Vastaamo clients have even been contacted directly by the hackers.
Vastaamo’s management officially announced the incident for the first time last week. It was revealed that back in September 2020, a hacker contacted three employees of the medical institution and demanded a ransom of 40 bitcoins (over $500,000 at the current rate), threatening to publish the stolen patient data if the demand was not met.
According to local media, the hacker has already started carrying out these threats, with at least 300 medical records published on the darknet. It is also reported that, after failing to get a response from Vastaamo’s management, the extortionist began contacting patients directly by email, demanding $240 in cryptocurrency from each for the removal of their records from the stolen database. Apparently, the hacker came up with this idea after several people learned about the leak and offered the hacker money themselves to have their information deleted. According to Ilta Sanomat, the blackmailer set the price at 0.05 bitcoin (about $650) for these individuals.
The same publication notes that the hacker “writes in very good English” and uses secure email services. Initially, the hacker used Tutanota, then switched to Protonmail and Cock.li.
Over the past weekend, the Finnish National Bureau of Investigation officially confirmed the incident, stating that the leak affected data on tens of thousands of patients. Meanwhile, journalists from Helsingin Sanomat discovered that the extortionist has already leaked at least 2,000 medical records. They report that the hacker uploaded a 10 GB file containing information about Vastaamo patients, including their names, social security numbers, postal and email addresses, phone numbers, and therapists’ notes.
Currently, Vastaamo representatives are providing updated information about the incident almost daily, and the medical institution is working on the investigation together with the Finnish Cybersecurity Center, Valvira, and the Data Protection Ombudsman. Finnish ethical hackers are also assisting in the investigation, and cybersecurity company Nixu is studying the technical aspects of the breach. Nixu’s specialists discovered that the actual hack likely occurred back in November 2018.
Interestingly, this was not the only attack on Vastaamo. It has now come to light that another incident occurred in mid-March 2019, which was known to the head of the clinic network, but he decided to keep it secret from the board of directors, authorities, and affected individuals. When this came to light, Vastaamo’s board of directors dismissed the head of the company. It is still unknown whether any data was stolen during the March attack.
According to the latest statements from Vastaamo and the Nixu investigation, it has been confirmed so far that the medical institution’s infrastructure did not have critical vulnerabilities and has not been attacked since March 2019.