Vastaamo Breach: Hackers Blackmailing Psychotherapy Patients

therapy breach Vastaamo

Cybercriminals have already reportedly posted the details of 300 Vastaamo patients – and are threatening to release the data of others unless a ransom is paid.

Cybercriminals have hacked the systems of psychotherapy giant Vastaamo – and are now reaching out to therapy patients, threatening to dump their patient files if they do not pay a ransom.

Finland-based Vastaamo, which has more than 40,000 psychotherapy patients, said on its website that its customer register was likely compromised between the end of November 2018 and March 2019 (it’s unclear why the data is only surfacing now). The breach – and subsequent reports of the hacker directly contacting patients with blackmail threats – is serious enough that it spurred an emergency meeting on Sunday in Finland’s Cabinet.

“The attacker has no shame,” warned Mikko Hypponen, chief research officer at Finland-based F-Secure, on Twitter this weekend. “The attacker calls himself ‘ransom_man’, and is running a Tor site on which he has already leaked the therapist session notes of 300 patients,” he said. “This is a very sad case for the victims, some of which are underage.”

So far, according to Vastaamo, the names and contact information of those 300 patient records have been published. Beyond names and contact data, it’s unclear how much other data was compromised in the breach – such as private notes from therapy sessions or otherwise. According to reports, the attackers acquired the records of patients who had registered before the end of November 2018.

Making matters worse, according to Vastaamo and to various reported victims speaking out on Twitter, the cybercriminals are now approaching patients and demanding a ransom of $240 (200€) from them – which is an amount increased to 500€ if they do not pay within 24 hours. The attackers also reportedly demanded $534,000 (450,000€) in Bitcoin from Vastaamo.

Threatpost has reached out to Vastaamo regarding the nature of the data breach, what information was accessed and how data is stored and secured. According to the company’s website, all patient records must be kept for at least 12 years after the information was recorded.

“Our information systems have been reviewed, are highly secure, and their use is effectively monitored by security professionals,” according to the company, in a translated statement on its website. “We will continue to take action. We do our best to find out what happened and work with the authorities to prevent the spread of confidential information.”

Jack Mannino, CEO at nVisium, told Threatpost that many small- to mid-sized medical healthcare providers and private education institutions lack basic security controls and protections — often due to the absence of understanding or the resources to tackle these challenges.

“Unfortunately, these institutions often don’t have the in-house capabilities to perform security monitoring and continuous hardening of their environments,” he said. “As their attack surface continues to increase, the patient data will remain a target across healthcare providers and schools.”

The company also said that if customers have been the victim of blackmail, they recommend reporting the threat to the police.

“We deeply regret what happened and on behalf of our customers who have been compromised,” according to the company. “The authorities and the Response Office will do their utmost to find out what happened, to prevent the dissemination of information and to bring the perpetrators to justice.”

The sensitive nature of the data makes this breach – and subsequent ransom threats – particularly insidious.

“While all leaks, especially related to a patient’s health, are sensitive, this type of data is not as simple as a case of high blood pressure,” Ray Kelly, principal security engineer at WhiteHat Security, told Threatpost. “The attacker’s ability to disclose a patients psychological records can be immensely damaging to a person’s reputation and affect many aspects, such as relationships or their career. The incentive for someone to pay the malicious actor is very high in this situation.”

Other data leaks have recently occurred that exposed sensitive user data. Last week, researchers found an unprotected Google Cloud storage bucket owned by pharma giant Pfizer that exposed data includes phone-call transcripts and personally-identifiable information (PII).

And in September, a cyberattack at the U.S. Department of Veterans Affairs (VA) impacted about 46,000 veterans, exposing their financial information; and another incident at the U.K.’s National Health Service exposed personal information for 18,105 Welsh citizens.

Suggested articles