A company that offers psychotherapy to thousands of patients across Finland says it’s been the victim of a data breach, with the personal information of customers held for ransom. Vastaamo, which sees patients in 20 cities including Helsinki, Joensuu, Jyväskylä, Pori, Turku and Tampere, says “an unknown hostile party” got in touch with them saying they had obtained customer details.

“As a company providing psychotherapy services, the confidentiality of customer information is extremely important to us and the starting point for all our operations. We deeply regret the leak due to the data breach” says Tuomas Kahri, Vastaamo’s Chairman of the Board in a statement. “We are constantly developing our information security and data protection, and we will take additional measures when our own investigations and regulatory investigations are completed.”

At first, sources reported that the hacker had demanded approximately half a million dollars not to dump the data. However, this was not confirmed by Vastaamo, who explained they had notified the public and patients as soon as the government authorities gave them permission to do so. In addition, Ilto-Sanomat reports the hacker - who calls himself "RAMSON_MAN" - contacted them and is allegedly demanding 40 btc (450,000 euros).

The attacker has also reportedly dumped hundreds of patient files on a dark web site, and is also contacting other individual patients with blackmail demands — either pay the attacker(s) ransom or have their psychotherapy records dumped. Vastaamo issued an update, noting that other patient records may have been breached. 

Ray Kelly, principal security engineer at WhiteHat Security, a San Jose, Calif.-based provider of application security, says, “What is interesting about this incident is that it has evolved from a basic data leak and ransom attack to a targeted blackmail situation. While all leaks, especially related to a patient’s health are sensitive, this type of data is not as simple as a case of high blood pressure. The attackers ability to disclose a patients psychological records can be immensely damaging to a person’s reputation and affect many aspects such as relationships or their career. The incentive for someone to pay the malicious actor is very high in this situation.”  

According to Jack Mannino, CEO at nVisium, a Falls Church, Virginia-based application security provider, “Many small to mid-sized medical healthcare providers and private education institutions rapidly became technology shops this year as the pandemic hit. In many cases, basic security controls and protections have been largely ignored, often due to the absence of understanding or the resources to tackle these challenges. Unfortunately, these institutions often don't have the in-house capabilities to perform security monitoring and continuous hardening of their environments. As their attack surface continues to increase, the patient data will remain a target across healthcare providers and schools.”

With nearly 70 percent of Americans agreeing they’d sever ties with their healthcare provider if they found that their personal health data was not being properly protected – this latest news is a clear indicator of data security concerns here in the U.S. rapidly expanding on a global scale. 

“In the case of Vastaamo, it appears that the organization may have been aware of prior breach activity and/or challenges with their security posture as we saw the CEO let go earlier today.  Healthcare leaders need to take notice that their responsibility does not stop with a patient's physical or mental health but it also extends to their digital health," explains CynergisTek CEO Caleb Barlow. “The situation at Vastaamo underscores the importance of institutions having an independent and impartial third party security assessment on an annual basis to ensure that a strong security program has been implemented and to validate that controls are working properly."

 “During the pandemic we know that mental health visits are one of the most popular solutions for telehealth, but the situation at Vastaamo underscores the importance for providers to re-evaluate their security posture and controls. As much as telehealth has accelerated by 5-10 years during the pandemic, we need to ensure that security controls have accelerated at a similar rate to protect this information," adds Barlow.