Finnish Therapy Patients Blackmailed After Data Breach

A data breach is having criminal impact on its victims, after many patients of a large psychotherapy clinic in Finland whose confidential records were stolen, were contacted individually by a blackmailer.

According to the Associated Press, the breach resulted in Finland’s interior minister summoning key Cabinet members into an emergency meeting on Sunday.

It is reported that hundreds – and possibly thousands – of patient records at the Vastaamo psychotherapy centre were accessed by hackers, who are now demanding ransoms from patients.

Very serious

According to the AP, Finnish Interior Minister Maria Ohisalo tweeted that authorities would “provide speedy crisis help to victims” of the security breach, an incident she called “shocking and very serious.”

Vastaamo runs 25 therapy centres across Finland and operates as a sub-contractor for Finland’s public health system.

It said that its client register with intimate patient information was likely stolen during two attacks that started almost two years ago.

The first incursion probably took place in November 2018 and “it is likely that our (data) systems were penetrated also between the end of November 2018 and March 2019,” Vastaamo reportedly said in a statement late Saturday.

And in a new low, many patients reported receiving emails with a demand for €200 (£181) in bitcoin to prevent the contents of their discussions with therapists being made public.

Vastaamo also reportedly said the unknown criminals had published at least 300 patient records containing names and contact information using the anonymous Tor communication software. “The blackmailer has started to approach victims of the security breach directly with extortion letters,” it reportedly said.

The National Bureau of Investigation said Sunday up to “tens of thousands” of Vastaamo clients may have had their personal data compromised.

Police are said to be looking for the possible culprits both in Finland and abroad.

Medical attacks

In recent years, medical centres (i.e. hospitals) have been on the receiving end of online cyberattacks, usually ransomware attacks.

After some victims paid ransomware demands, US Treasury Department warned earlier this month that paying the criminals meant they could well be violating US sanction rules.

But those attacks rarely resulted in medical data being used (or published) for blackmail purposes.

Yet medical data has been compromised before.

In July 2019, Singapore suffered the worst cyber attack in that country’s history, which resulted in the theft of the personal data belonging to 1.5 million people, including the medical records of Prime Minister Lee Hsien Loong.