News of an unusual data breach at a psychotherapy center in Finland broke over the weekend, after affected patients began receiving emails telling them to pay up or risk their personal and health data being publicly released.
Therapist session notes of some 300 patients have already been published on a Tor-accessible site on the dark web. Among the victims are Finnish politicians (e.g., Member of Parliament Eeva-Johanna Eloranta) and minors.
What is known about the data breach at the psychotherapy center?
Vastaamo is a private company that operates in 22 locations across Finland and employs some 300 psychotherapists.
The hackers have demanded 40 bitcoins (around €450,000) from Vastaamo in exchange for not publishing the stolen data, but the clinic reportedly did not pay the ransom.
An investigation into the incident has been mounted, involving the Finnish Cyber Security Centre, the National Bureau of Investigation and cybersecurity esperts from private sector companies. The Office of the Data Protection Ombudsman has also been notified, as well as the National Supervisory Authority for Welfare and Health.
Mikko Hypponen, security expert and chief research officer at Finnish cyber security and privacy company F-Secure, said that no ransomware or encryption was involved – just blackmail with stolen health data.
How the attacker managed to access the information collected by the Vastaamo clinic is still unknown – or maybe the Finnish authorities know, but the information has yet to be shared with the public. It is also unclear just how many patient records have been stolen.
The clinic did not say when the data breach happened, but said on Sunday that:
- They received permission from the police to start contacting affected patients on October 21
- The blackmailer had released some patient information the morning after
- Some patients have received blackmail emails on Saturday, in which the sender asks €200 and €500 for not publishing the patient’s stolen data. Apparently, more that 200 patients received the email. The clinic and the authorities advise the affected patients not to pay, especially because it can’t be confirmed that the attacker and the sender of the email are the same person/gang and there is no guarantee that paying will result in the information not getting released
- The stolen data contains personal and health information, including therapist session notes, dates of visits, care plans, management goals and statements, but not video sessions (as they are not recorded)
They’ve set up a crisis telephone number for offering information to affected patients, and have offered each victim “a free opportunity to talk to a therapist.”