Vastaamo, a leading psychotherapy provider from Finland, has experienced a cyberattack that resulted in the theft of highly sensitive patient information. The cybercriminals threatened to expose the stolen information if no ransom payment is made and selected patient records have already been published online.
Vastaamo serves around 40,000 patients throughout over two dozen clinics in Finland. Last week, Vastaamo started informing patients regarding the data breach after an individual contacted three of its employees and demanded 40 Bitcoin ($500,000) payment to avoid the exposure of stolen patient information.
It is not only Vastaamo that has gotten ransom demands. When Vastaamo did not pay the ransom, the attacker who calls himself/themselves as “the ransom guy”, also gave patients ransom demands wanting them to make a payment of €200 ($236) in Bitcoin to avert the posting of their data. Preliminary reports advised that the information of around 300 patients were posted on a darknet site, though later reports suggest a 10GB file that contains the records of approximately 2,000 patients was posted on the dark web.
BBC contacted one patient who claimed the cyberattacker gave him 24 hours to pay the preliminary ransom demand or his teenage psychotherapy notes will be published. The attacker also said the payment will go up to €500 ($515) if the ransom is not paid within 24 hours.
Vastaamo reported on its website that systems access appeared to have been obtained at some point in November 2018; nonetheless, another breach took place in March 2019. The information stolen in the incident seems connected with patients who obtained treatment prior to November 2018, although it is possible that records were stolen in the second data breach in March 2019.
Vastaamo stated the breach affected the following data: customer names, ID numbers, dates of consultations, and information manually entered by the psychotherapy expert, which may have included care plans, notes from sessions, and statements submitted by the patients to authorities.
It is unclear at this time how many patients of Vastaamo were impacted by the breach, although the director of Finland’s National Bureau of Investigation, Robin Lardot, is convinced tens of thousands of patient data were stolen. It is additionally uncertain why the threats were just issued. Possibly, a third party might have sold the stolen data and has set out on an extortion campaign.
Psychotherapy sessions records are one of the most sensitive data held by healthcare providers. Patients talk about problems in their consultations in a confidential environment where they feel safe and protected. Information disclosed in sessions may not have been shared with anyone else. Finland’s interior minister referred to the incident as “a shocking act which hits all of us deep down.” He additionally stated that Finland must be a country where help is provided for mental health issues and it is accessible without fear.
For a company offering psychotherapy services, the confidentiality of customer data is incredibly vital, and the starting point for all operations. Vastaamo deeply regrets the leak due to the data breach. Vastaamo also gave a statement saying it has dismissed its CEO, Ville Tapio, for not informing its board of directors and parent company about the March 2019 breach.