A cyberattack on a Finnish psychotherapy group has left the treatment records of tens of thousands of patients at risk.
Individual patients from therapy clinic operator Vastaamo have been emailed with demands for bitcoins worth €200-500 (£180-450) in return for having their data deleted.
Around 10GB of information on 300 patients, including diagnoses, contact information and patient diaries, have already been leaked on a Tor site.
Vastaamo has said that it was subject to two attacks that started almost two years ago. With the attack having only to come to light in the past week, the company has since started an internal inquiry into the breach.
“According to current information, it is secure and no data has leaked since November 2018,” the company’s chairman, Tuomas Kahri, was quoted as saying by Finnish newspaper Helsingin Sanomat.
The company operates a chain of 25 psychotherapy clinics and treats around 45,000 patients.
Vastaamo’s board has since dismissed CEO Ville Tapio over allegations that he kept the data breach secret for a year and a half and was aware of the second breach. The first breach took place around November 2018, with the second taking place in March 2019.
Whilst the exact scale of the breach, and exactly what data was taken, is not yet known, Finland’s National Bureau of Investigation (BIS) has warned that it may include personal data on “tens of thousands” of Vastaamo’s clients. So far, thousands of patients have made complaints to the Finnish police.
The authorities have launched a website for victims of the hack, offering advice and warning them not to communicate with the extortionist or pay the ransom.
According to a Tweet from F-Secure CRO Mikko Hyppönen, the attacker goes by the name ‘ransom_man’. At present, there is no information linking the attack to any particular cybercriminal organisation or to a specific nation.
The hacker initially made a ransom demand to Vastaamo for €450,000, but claimed in their ransom letters to patients that since “the management of this company has refused to take responsibility for their own mistakes, we will have to ask you to keep your personal data safe”.
- Leader Insights | Cybersecurity essentials with CISO Jordan Schroeder
- CyberScotland week to return as pandemic drives up cyberattacks
- Hackney Hack: Council says it has been hit by ‘major’ cyber breach
The move to demand ransoms directly from victims is at odds with most other cyberattacks – recent major hacks, such as the Blackbaud attack, tend to demand money from the company rather than go after individual contacts.
The evolving attack has provoked outrage in Finland, along with solidarity with the victims, in part due to the personal nature of the breach but also due to the direct involvement of the victims.
In response to the hack, Finland’s Interior Minister, Maria Ohisalo, called an emergency meeting of key Cabinet members on 25th October to discuss the event. She promised to “provide speedy crisis help to victims” of the attack.
With the Finnish Government convening on 28th October, the hack and resulting cybersecurity issues are expected to be on the agenda.
“We’re developing the society in a direction where no one has to be afraid to seek help. We’re talking about the concept of comprehensive security and how members of society trust the authorities and organisations providing the help,” she was quoted as saying by the Helsingin Sanomat.