Psychiatric Patients Blackmailed With Therapy Notes Following Finnish Clinic Data Breach

Finland is shocked by the news of an unusual cyber-attack on its Psychotherapy chain clinic Vastaamo, which serves more than 400,000 patients across the country. The incident came to the fore over the weekend when the patients of the clinic started receiving extortion emails from the cyber criminals.

Finland's Interior Minister Maria Ohisalo on Sunday summoned key Cabinet members into an emergency meeting to discuss the massive data breach, the Associated Press reported.

Vastaamo offers psychotherapy services in 20 Finnish cities, including Helsinki, Joensuu, Jyväskylä, Pori, Turku and Tampere. The hackers threatened the company to pay 40 bitcoins in exchange for not publishing the hacked data and the clinic reportedly did not pay the ransom.

Therapist session notes of about 300 patients have already been published on a Tor-accessible site on the dark web. The patients, whose personal information was taken in the data breach, have been receiving threatening emails from the attacker who addresses himself as “ransom man” asking for a bitcoin ransom of $230.

The Interior Minister Maria tweeted that the incident is “shocking and something which hits us deep down.” She also added that Finland must be a country where help for mental health issues is available and can be accessed without fear.

An investigation into the attack has been initiated, involving the Finnish Cyber Security Centre, the National Bureau of Investigation and cybersecurity experts from private sector companies.

“As a company providing psychotherapy services, the confidentiality of customer information is extremely important to us and the starting point for all our operations. We deeply regret the leak due to the data breach,” said Tuomas Kahri, Vastaamo’s Chairman of the Board, in a statement.

The company also admitted that the stolen data comprises personal and health information, including therapist session notes, dates of visits, care plans, management goals and statements.

Mikko Hypponen, from cyber-security company F-Secure, tweeted the attacker "had no shame". He also added that it is shocking that some of the victims are minors. The victims also include some Finnish politicians.

Vastaamo said that the first incursion to the clinic's data was probably between November 2018 and March 2019 in a statement to the Associated Press.

The psychotherapy center has also announced the dismissal of its CEO, Ville Tapid, for hiding a second infiltration into the company's data security system that happened in March 2019.

Meanwhile, various Finnish organizations have come forward to help the victims of the breach by providing direct dial-in numbers with churches and therapy services.