Gerard O’Dwyer reports: The huge data security breach and cyber-ransom attack at Finland’s Vastaamo Psychotherapy Centre has provoked a swift response from the government, which is primed to introduce more rigid laws and measures to protect the country’s databases and sensitive information from cyber criminals. […] In a significant bolstering of Finland’s data security laws, new legislation will require all enterprises offering social and healthcare services to join Kanta’s state-run national digital services platform. Kanta operates a secure database system that requires enhanced electronic recognition, supported by banking codes, to access social welfare and healthcare sector databases. All public sector social welfare and healthcare services use the Kanta system, which is voluntary for private enterprises. Read more on ComputerWeekly.com.
William Ralston has a piece on Wired to put a human face on what happened to Finnish therapy patients of the Vastaamo clinic. The Vastaamo hack, extortion attempt, and data dump was one of the worst breaches of 2020 and an absolute nightmare in terms of a breach exposing personal and sensitive information. And what first appeared to be a horrifying breach became a scandalous breach when it was later learned that an earlier breach had been covered up instead of properly remediated. Today’s piece by Ralston is not his first piece on the Vastaamo incident but is well worth reading – not only to appreciate the human impact of breaches when the impact can not only be severe but long-lasting, but also because this is one of those incidents that entities should never forget and strive to prevent every day in their own facilities and organizations. Read the story on Wired.
Graham Cluley reports: Vastaamo, the Finnish psychotherapy practice that covered up a horrific security breach which resulted in patients receiving blackmail threats, has declared itself bankrupt. Read more on Hot for Security.
William Ralston reminds us how devastating the Vastaamo breach and ransom incident has been: Jukka-Pekka Puro will never forget 2017. Facing the heartbreak of a divorce, Puro, a university lecturer in Turku, southwestern Finland, found himself tussling with depression. This spiralled into suicidal ideations when doctors told him he had aggressive kidney cancer, and no more than a few years to live. He knew he needed professional help. Puro turned to Vastaamo, a private company that runs 25 therapy centres across Finland, and sub-contracts psychotherapy services for Finland’s public health system. Through a handful of therapy sessions he divulged intimate details about his personal life and mental health issues and slowly came to accept that he was soon going to die. Read more on Wired.
The Finnish Government has decided on measures to help victims of identity theft and to improve personal identity protection. The Ministry of Social Affairs and Health will firstly ensure that the victims of the data breach at Psychotherapy Centre Vastaamo continue to receive the necessary psychosocial and other support. Support will continue to be provided through a number of different operators and channels for as long as is required. The Ministry will also monitor and coordinate the aftercare of the situation within the healthcare and social welfare services system. Read more on Security Document World.
There’s a small update to the horrific breach involving Finnish psychotherapy patients seen at Vastaamo locations. Vastaamo’s CEO Ville Tapio has been fired. Graham Cluley brings us up to date on that: An investigation has uncovered that the database of customer details and therapy session notes was first breached in November 2018, but there was another security breach in mid-March 2019 which apparently CEO Ville Tapio knew about but – for reasons best known to himself – did not inform the appropriate authorities or with other members of Vastaamo’s board. News of Vastaamo’s devastating data breach was not made public until 18 months later on October 21, 2020, and Tapio was dismissed yesterday. So there was a second breach, it seems, and it wasn’t just one bigger breach. Okay. Another new revelation may not be related to the specific breach as much as sloppy data security and violation of GDPR. YLE.fi reports: The troubled psychotherapy centre Vastaamo sent at least some of its customers invoices that included their government-issued personal ID numbers in unsecured emails. The private mental health services firm has been at the centre of a hacking and blackmail scandal for the past week after it emerged that highly sensitive information on thousands of patients had been stolen from its database. Read more about that issue on YLE.fi.
There’s an update to previous post about a ransom situation in Finland impacting 40,000 psychotherapy patients at Vastaamo. As initially reported by Vastaamo, a psychotherapy practice with multiple offices and locations, they had been hacked and the hacker had acquired records of patients who had registered before the end of November 2018. Other sources reported that the hacker had demanded approximately half a million dollars not to dump the data, but that was not confirmed by Vastaamo, who states that they started notifying the public and patients as soon as the government authorities gave them permission to do so. Ilto-Sanomat reports the blackmailer contacted them and is demanding 40 btc (450,000 euros). Now the hacker, who calls themself “ransom_man” has reportedly dumped hundreds of patient files on a dark web site, and is contacting other individual patients with blackmail demands — either pay the attacker(s) 200 € ransom or have their psychotherapy records dumped. Vastaamo has updated its web site with the latest development, and others are discussing it on social media, where the threat actor’s language fluency in Finnish — or lack thereof — has been discussed, as well as the attacker seeking help writing ransom demands in Finnish. The request for help could have been misdirection, of course. According to Vastaamo, the ransom messages are titled, for example, “Answering Office Information” and contain the patient’s personal information. Vastaamo wants patients to know that such messages are not coming from Vastaamo’s Answering Machine. The types of information the attacker may have acquired include contact information and personal identity number. A google translation of Vastaamo’s FAQ follows: Based on these, the customer number (customer ID) created for each customer contains information manually entered by the healthcare professional. Discussions are not spelled out, but the entries are narrower professional entries. The dates of visits marked as completed and unrealized, as well as appointment entries and log information on the data processing that took place at any given time, have been entered in the register. Customer information may also include care plans and management goals and statements made to authorities or the customer themselves. See more detail on our website www.vastaamo.fi/tietosuoja the leaflet where you can find detailed information in our customer and patient register. Video sessions are not recorded, so the attacker does not possess any videos of patient sessions, but might have acquired notes from sessions created by therapist. But there is no doubt that this is a serious privacy and data breach. Vastaamo now says that it is not just patients registered before November 2018 who have been impacted, but there is also some indication that patients registered before the end of March 2019 may have also had their data accessed. [Note: YLE.fi seems to be reporting this as two breaches, and maybe my translation is poor, but I had read it as one incident that involved more data than Vastaamo originally recognized. Reading other sites raises more questions: did the breach occur before the end of November 2018, or was it more recent but just attacked older data? And was there a second breach or attacker or did the first attacker attack again when they realized the value of what they had? There are a lot of questions that need answers.] This is obviously a developing situation. Vastaamo has not revealed how the threat actor gained access to their system, or why their system security did not detect the intruder’s presence in the system or exfiltration of what appears to be tremendous amounts of data. Did the attacker disable defenses or were the defenses not in place? Patients will likely have a lot of understandable questions as to how this happened, but the immediate concern, of course, is to try to stop the attacker from dumping more data or otherwise misusing it.
NewsNow reports: A company that offers psychotherapy to thousands of patients across Finland says it’s been the victim of a data breach, with the personal information of customers held for ransom. Vastaamo, which sees patients in 20 cities including Helsinki, Joensuu, Jyväskylä, Pori, Turku and Tampere, says “an unknown hostile party” got in touch with them saying they had obtained customer details. Read more on NewsNow.