Finnish Patients Blackmailed After Clinic Data Breach

Patients whose data was stolen in a cyber-attack on a Finnish psychotherapy clinic are being individually blackmailed.

An attack on the Vastaamo practice in November 2018 resulted in the theft of a customer database, with a second potential breach occurring in March 2019. Vastaamo serves thousands of patients from around 20 branches at locations across Finland.

The data breach came to light in September 2020 when a blackmailer approached three Vastaamo employees. 

Patient data that was compromised appears to have included therapy session notes detailing what was discussed along with personal identification records. 

According to the Associated Press news agency, the records of around 300 Vastaamo patients have been published on the dark web. 

Vastaamo has stated that it is cooperating fully with law enforcement and has advised any patients who have been contacted individually by a blackmailer to go to the police. The clinic described the incident as "a great crisis."

A helpline has been set up by the clinic for victims, who are also being offered a free unrecorded therapy session.  

News site Yle reported that the Finnish government held an emergency meeting about the situation on Sunday night in which Interior Minister Maria Ohisalo dubbed the security incident and subsequent blackmailing as "exceptional."

A Vastaamo patient who was contacted by the blackmailer told the BBC that he didn't think handing over a ransom would guarantee the safety of his data. 

The victim, who asked to be referred to only by his first name, Jere, said that someone describing themselves as "the ransom guy" had contacted him to demand a payment of €200 ($236) in Bitcoin. Jere was told that he was being contacted after Vastaamo had refused to pay a ransom of 40 Bitcoin ($515,632).

The blackmailer told Jere that if he didn't pay within 24 hours, the ransom would increase to €500 ($590). If no payment had been received within 72 hours, notes from psychotherapy sessions Jere completed as a teenager would be published. 

"Those notes contain things I'm not ready to share with the world," said Jere. "And having someone threaten me with said notes certainly makes me extremely uncomfortable."

Jere, who said he could not afford to pay the ransom, added: "I feel like paying won't guarantee that my data will remain safe."

What’s Hot on Infosecurity Magazine?