Private Psychotherapy Notes Leaked in Major Finnish Hack

The confidential treatment records of tens of thousands of psychotherapy patients in Finland have been hacked and some leaked online, in what the interior minister said Monday was “a shocking act.”

Distressed patients flooded victim support services over the weekend as Finnish police revealed hackers accessed records belonging to private company Vastaamo, which runs 25 therapy centres across Finland.

Thousands have filed police complaints over the breach, they added.

Many patients reported receiving emails with a demand for 200 euros ($236) in bitcoin to prevent the contents of their discussions with therapists being made public.

“The Vastaamo data breach is a shocking act which hits all of us deep down,” Interior Minister Maria Ohisalo wrote on her website on Monday.

Finland must be a country where “help for mental health issues is available and it can be accessed without fear.”

Ministers met for crisis talks this weekend, with further emergency discussions tabled for the coming week over the unprecedented data breach.

“We are investigating an aggravated security breach and aggravated extortion, among other charges,” Robin Lardot, the director of Finland’s National Bureau of Investigation, told a news conference at the weekend.

Lardot added that they believed the number of patients whose records had been compromised numbered in the tens of thousands.

On Monday evening, Vastaamo said it had fired its CEO, Ville Tapio, after an internal enquiry discovered that he had concealed a March 2019 data breach from the board and the firm’s parent company.

The firm admitted flaws in the security of its customer data, “which allowed criminals to break into the database up until March 2019,” Vastaamo said in a statement.

The company’s owner, PTK Midco Oy, on Monday launched court proceedings “in relation to its May 2019 purchase of Vastaamo,” the statement added.

– ‘Justifiably worried’ –

Security experts reported that a 10-gigabyte data file containing private notes between at least 2,000 patients and their therapists had appeared on websites on the so-called dark web.

The hack, which targeted some of society’s most vulnerable including children, has caused widespread shock in the Nordic country of 5.5 million, with ministers gathering on Sunday to discuss how to support the patients whose sensitive data had been leaked.

“It is absolutely clear that people are justifiably worried not only about their own security and health but that of their close ones, too,” Ohisalo told reporters late on Sunday.

On Monday, authorities launched a website for victims of the cyberattack, offering advice and telling them not to pay the ransom demand.

“Do not communicate with the extortionist, the data have most likely already been leaked elsewhere,” the “Data Leak Help” site said. 

Mental health and victim support charities reported being overwhelmed with calls from distressed people fearing that their intimate conversations with their therapists would be publicly released.

– Nothing ‘to be ashamed of’ –

One of the recipients of a blackmail threat, the former MP Kirsi Piha, tweeted a screenshot of the ransom message along with a defiant reply to the hackers.

“Up yours! Seeking help is never something to be ashamed of,” Piha wrote.

“I’ve seen a lot, but I haven’t seen this,” Mikko Hypponen, chief research officer at data security firm F-Secure said in a statement.

“I don’t think there’s a crime in our criminal history which would have more victims than this one.”

Hypponen, an internationally renowned cybersecurity specialist, said the perpetrator used the alias “ransom_man”, and said he was only aware of one other patient blackmail case, where a cosmetic surgery clinic in Florida had a smaller amount of data stolen in 2019. 

On Monday, Finland’s social care regulator said in a statement it was investigating Vastaamo’s practices, including how well patients were kept informed of the breach.

Meanwhile, the head of the state digital services agency DVV, Kimmo Rousku, said that the cyberattack could have been avoided if Vastaamo had used better encryption.

DVV published a checklist on Monday for firms to make sure their digital security is in order.

“Management needs to wake up,” Rousku told public broadcaster Yle.

A phone line offering legal advice had also been set up, the country’s consumer authority announced.