A national network of psychotherapy clinics in Finland has suffered a cyberattack in which highly sensitive patient data were stolen. The company was issued with a ransom demand along with a threat to publish the stolen data if payment was not made. The attackers followed through with that threat and have published some of the data stolen in the attack and have also issued ransom demands to individual patients, threatening to disclose their highly confidential notes and personal information if they do not pay up.
Finland’s interior minister called the cyberattack “a shocking act which hits all of us deep down,” also saying Finland needs to be a country that ensures “help for mental health issues is available and it can be accessed without fear.”
Vastaamo operates psychotherapy clinics in 25 towns and cities in Finland and serves around 40,000 patients. The healthcare provider announced the breach last week and explained to affected patients that some of their data had been stolen in the attack. The investigation into the breach revealed that the cyberattack most likely occurred in November 2018, but it is unclear why it has taken until now for a ransom demand to be issued.
According to local media reports, three Vastaamo employees received a ransom demand for 40 Bitcoin (around $500,000) to prevent the publication of the data. Several patients have also been contacted and told to pay €200 ($236) in Bitcoin to prevent the publication of their data, with payment required in 24 hours or it would rise to €500 ($515).
This is not the first time that patients have been contacted directly following a cyberattack and have been asked to pay up when their provider has refused; however, in this case the nature of the data stolen in the attack will be a major cause of concern.
Vastaamo said the stolen data included names, ID numbers, service dates, and information manually entered by the psychotherapy professional, including notes from sessions, care plans, and statements made to the authorities or by the patients themselves. Some security experts have reported that a 10 GB file containing data of around 2,000 patients has already been uploaded to dark web locations.
It is currently uncertain how many patients have been affected by the attack. Vastaamo said the attack occurred in November 2018, so patients who visited its clinics after that date were not affected; however, the company also experienced a second breach in March 2019 and patient data may also have been stolen in that attack. The second breach was known to the CEO, but he concealed the breach from the board and Vastraamo’s parent company and has since been fired.
Finland’s National Bureau of Investigation, Robin Lardot, explained to local media that he believed the data of tens of thousands of patients may have been stolen in the attack.