Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Private Psychotherapy Notes Leaked in Major Finnish Hack

The confidential treatment records of tens of thousands of psychotherapy patients in Finland have been hacked and some leaked online, in what the interior minister said Monday was “a shocking act.”

The confidential treatment records of tens of thousands of psychotherapy patients in Finland have been hacked and some leaked online, in what the interior minister said Monday was “a shocking act.”

Distressed patients flooded victim support services over the weekend as Finnish police revealed hackers accessed records belonging to private company Vastaamo, which runs 25 therapy centres across Finland.

Thousands have filed police complaints over the breach, they added.

Many patients reported receiving emails with a demand for 200 euros ($236) in bitcoin to prevent the contents of their discussions with therapists being made public.

“The Vastaamo data breach is a shocking act which hits all of us deep down,” Interior Minister Maria Ohisalo wrote on her website on Monday.

Finland must be a country where “help for mental health issues is available and it can be accessed without fear.”

Ministers met for crisis talks this weekend, with further emergency discussions tabled for the coming week over the unprecedented data breach.

“We are investigating an aggravated security breach and aggravated extortion, among other charges,” Robin Lardot, the director of Finland’s National Bureau of Investigation, told a news conference at the weekend.

Advertisement. Scroll to continue reading.

Lardot added that they believed the number of patients whose records had been compromised numbered in the tens of thousands.

On Monday evening, Vastaamo said it had fired its CEO, Ville Tapio, after an internal enquiry discovered that he had concealed a March 2019 data breach from the board and the firm’s parent company.

The firm admitted flaws in the security of its customer data, “which allowed criminals to break into the database up until March 2019,” Vastaamo said in a statement.

The company’s owner, PTK Midco Oy, on Monday launched court proceedings “in relation to its May 2019 purchase of Vastaamo,” the statement added.

– ‘Justifiably worried’ –

Security experts reported that a 10-gigabyte data file containing private notes between at least 2,000 patients and their therapists had appeared on websites on the so-called dark web.

The hack, which targeted some of society’s most vulnerable including children, has caused widespread shock in the Nordic country of 5.5 million, with ministers gathering on Sunday to discuss how to support the patients whose sensitive data had been leaked.

“It is absolutely clear that people are justifiably worried not only about their own security and health but that of their close ones, too,” Ohisalo told reporters late on Sunday.

On Monday, authorities launched a website for victims of the cyberattack, offering advice and telling them not to pay the ransom demand.

“Do not communicate with the extortionist, the data have most likely already been leaked elsewhere,” the “Data Leak Help” site said. 

Mental health and victim support charities reported being overwhelmed with calls from distressed people fearing that their intimate conversations with their therapists would be publicly released.

– Nothing ‘to be ashamed of’ –

One of the recipients of a blackmail threat, the former MP Kirsi Piha, tweeted a screenshot of the ransom message along with a defiant reply to the hackers.

“Up yours! Seeking help is never something to be ashamed of,” Piha wrote.

“I’ve seen a lot, but I haven’t seen this,” Mikko Hypponen, chief research officer at data security firm F-Secure said in a statement.

“I don’t think there’s a crime in our criminal history which would have more victims than this one.”

Hypponen, an internationally renowned cybersecurity specialist, said the perpetrator used the alias “ransom_man”, and said he was only aware of one other patient blackmail case, where a cosmetic surgery clinic in Florida had a smaller amount of data stolen in 2019. 

On Monday, Finland’s social care regulator said in a statement it was investigating Vastaamo’s practices, including how well patients were kept informed of the breach.

Meanwhile, the head of the state digital services agency DVV, Kimmo Rousku, said that the cyberattack could have been avoided if Vastaamo had used better encryption.

DVV published a checklist on Monday for firms to make sure their digital security is in order.

“Management needs to wake up,” Rousku told public broadcaster Yle.

A phone line offering legal advice had also been set up, the country’s consumer authority announced.

Written By

AFP 2023

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.