A nightmare breach involving psychotherapy records just got worse
There’s an update to previous post about a ransom situation in Finland impacting 40,000 psychotherapy patients at Vastaamo. As initially reported by Vastaamo, a psychotherapy practice with multiple offices and locations, they had been hacked and the hacker had acquired records of patients who had registered before the end of November 2018. Other sources reported that the hacker had demanded approximately half a million dollars not to dump the data, but that was not confirmed by Vastaamo, who states that they started notifying the public and patients as soon as the government authorities gave them permission to do so. Ilto-Sanomat reports the blackmailer contacted them and is demanding 40 btc (450,000 euros).
Vastaamo has updated its web site with the latest development, and others are discussing it on social media, where the threat actor’s language fluency in Finnish — or lack thereof — has been discussed, as well as the attacker seeking help writing ransom demands in Finnish. The request for help could have been misdirection, of course.
According to Vastaamo, the ransom messages are titled, for example, “Answering Office Information” and contain the patient’s personal information. Vastaamo wants patients to know that such messages are not coming from Vastaamo’s Answering Machine.
The types of information the attacker may have acquired include contact information and personal identity number. A google translation of Vastaamo’s FAQ follows:
Based on these, the customer number (customer ID) created for each customer contains information manually entered by the healthcare professional. Discussions are not spelled out, but the entries are narrower professional entries. The dates of visits marked as completed and unrealized, as well as appointment entries and log information on the data processing that took place at any given time, have been entered in the register. Customer information may also include care plans and management goals and statements made to authorities or the customer themselves. See more detail on our website www.vastaamo.fi/tietosuoja the leaflet where you can find detailed information in our customer and patient register.
Video sessions are not recorded, so the attacker does not possess any videos of patient sessions, but might have acquired notes from sessions created by therapist.
But there is no doubt that this is a serious privacy and data breach. Vastaamo now says that it is not just patients registered before November 2018 who have been impacted, but there is also some indication that patients registered before the end of March 2019 may have also had their data accessed. [Note: YLE.fi seems to be reporting this as two breaches, and maybe my translation is poor, but I had read it as one incident that involved more data than Vastaamo originally recognized. Reading other sites raises more questions: did the breach occur before the end of November 2018, or was it more recent but just attacked older data? And was there a second breach or attacker or did the first attacker attack again when they realized the value of what they had? There are a lot of questions that need answers.]
This is obviously a developing situation. Vastaamo has not revealed how the threat actor gained access to their system, or why their system security did not detect the intruder’s presence in the system or exfiltration of what appears to be tremendous amounts of data. Did the attacker disable defenses or were the defenses not in place? Patients will likely have a lot of understandable questions as to how this happened, but the immediate concern, of course, is to try to stop the attacker from dumping more data or otherwise misusing it.