The confidential treatment records of tens of thousands of psychotherapy patients in Finland have been hacked and some leaked online, in what the interior minister said Monday was "a shocking act."

Distressed patients flooded victim support services over the weekend as Finnish police revealed hackers accessed records belonging to private company Vastaamo, which runs 25 therapy centres across Finland.

Thousands have filed police complaints over the breach, they added.

Many patients reported receiving emails with a demand for 200 euros ($236) in bitcoin to prevent the contents of their discussions with therapists being made public.

"The Vastaamo data breach is a shocking act which hits all of us deep down," Interior Minister Maria Ohisalo wrote on her website on Monday.

Finland must be a country where "help for mental health issues is available and it can be accessed without fear."

Ministers met for crisis talks this weekend, with further emergency discussions tabled for the coming week over the unprecedented data breach.

"We are investigating an aggravated security breach and aggravated extortion, among other charges," Robin Lardot, the director of Finland's National Bureau of Investigation, told a news conference at the weekend.

Lardot added that they believed the number of patients whose records had been compromised numbered in the tens of thousands.

On Monday, Vastaamo said it had started an internal enquiry, and that the security of its patient records database had been checked.

It noted that the actual theft was believed to have happened two years ago.

"According to current information it is secure and no data has leaked since November 2018," the firm's chairman, Tuomas Kahri, told newspaper Helsingin Sanomat.

Security experts reported that a 10-gigabyte data file containing private notes between at least 2,000 patients and their therapists had appeared on websites on the so-called dark web.

Many victims of the hack reported receiving emails with a demand for 200 euros ($236) in bitcoin to prevent the contents of their discussions with therapists being made public.
Many victims of the hack reported receiving emails with a demand for 200 euros ($236) in bitcoin to prevent the contents of their discussions with therapists being made public. AFP / NICOLAS ASFOURI

The hack, which targeted some of society's most vulnerable including children, has caused widespread shock in the Nordic country of 5.5 million, with ministers gathering on Sunday to discuss how to support the patients whose sensitive data had been leaked.

"It is absolutely clear that people are justifiably worried not only about their own security and health but that of their close ones too," Ohisalo told reporters late on Sunday.

On Monday, authorities launched a website for victims of the cyberattack, offering advice and telling them not to pay the ransom demand.

"Do not communicate with the extortionist, the data has most likely already been leaked elsewhere," the "Data Leak Help" site said.

Mental health and victim support charities reported being overwhelmed with calls from distressed people fearing that their intimate conversations with their therapists would be publicly released.

One of the recipients of a blackmail threat, the former MP Kirsi Piha, tweeted a screenshot of the ransom message along with a defiant reply to the hackers.

"Up yours! Seeking help is never something to be ashamed of," Piha wrote.

"This is a very sad case for the victims, some of which are underage. The attacker has no shame," Mikko Hypponen of data security firm F-Secure said on Twitter, adding that the perpetrator was using the alias "ransom_man".

Hypponen, an internationally renowned data security specialist, called the breach "highly unusual" and said he was only aware of one other patient blackmail case, where a cosmetic surgery clinic in Florida had a smaller amount of data stolen in 2019.

On Monday, Finland's social care regulator said in a statement it was investigating Vastaamo's practices, including how well patients were kept informed of the breach.

Meanwhile the head of the state digital services agency DVV, Kimmo Rousku, said that the cyberattack could have been avoided if Vastaamo had used better encryption.

DVV published a checklist on Monday for firms to make sure their digital security is in order.

"Management needs to wake up," Rousku told public broadcaster Yle.

A phone line offering legal advice had also been set up, the country's consumer authority announced on Monday.