Even for veterans of cybercriminal investigations, the recent extortion of a psychotherapy practice in Finland has been unusual — and disturbing.
Rather than sticking only to the common tactic of trying to shake down a breached organization, the attackers who stole tens of thousands of patient records from Vastaamo also demanded ransoms from individual people. In doing so, the thieves have been leveraging some of the most sensitive medical data imaginable, and making it difficult for victims to respond collectively.
“Therapeutic notes are at a different level of privacy problems,” said Mikko Hypponen, chief research officer at Finnish cybersecurity company F-Secure. “I know of a handful of cases where patients were blackmailed for their health data, but those were much smaller breaches. There’s never been a crime in Finland with so many victims as in this one.”
While the incident has rocked Finland, prompting an emergency government meeting and costing Vastaamo’s CEO his job, it could also have repercussions far beyond the Nordic country. At issue are the obligations of health care organizations to defend their computer networks, and victims’ ability to hold organizations accountable for failing to do so.
In Vastaamo’s case, the cause wasn’t ransomware, as has been so common with health care organizations in the U.S. and elsewhere in Europe. The initial breach reportedly took place in 2018, with another hack following in 2019. But victims only began receiving messages demanding payment in cryptocurrency in recent weeks, underscoring how the targets of sensitive data heists are sometimes forced to look over their shoulders for years.
“This sort of extortion scheme makes it apparent that the risk to organizations lies not only in protecting corporate data, but ensuring that sensitive information of customers [in this case, patients] is protected to minimize the risk of what could become a dual extortion scheme,” said Lindsay Kaye, director of operational outcomes at threat intelligence company Recorded Future. “If this is financially successful, it may inspire other threat actors to do something similar.”
For Ryan Louie, a U.S.-based psychiatrist who focuses on the cybersecurity industry, the Vastaamo incident is a cruel reminder of what’s at stake in the cybersecurity of mental health practices.
“When there is such a visceral threat and damage, I think the term ‘violated’ that I often hear mentioned by victims of data and privacy breaches can also apply to the mental health care system overall,” Louie said. “It’s a direct hit on not just cybersecurity, but also on ‘psybersecurity’ — that junction of feeling secure in mental health and in the digital world.”
In the months since the coronavirus pandemic erupted, there have been numerous digital extortion schemes aimed at health care organizations, from small clinics to big hospitals. But the Vastaamo case shows that the potential consequences of such attacks sometimes aren’t fully appreciated until the most sensitive data is stolen.
Help from the infosec community
Much about who was behind the breach and how they carried it out remains a mystery in the public eye. Finnish police are still investigating. The long interval between breach and extortion demands only complicates the matter.
“We cannot be sure the one behind the breach is the one extorting victims,” Tero Muurman, a spokesperson for the cybercrime center at Finland’s National Bureau of Investigation (NBI), said in an email. “We don’t know whether the suspect/s is/are based in Finland or abroad.”
Vastaamo, which has practices throughout Finland, has apologized for the breach and offered a crisis hotline and other forms of support for the victims.
The country’s tight-knit cybersecurity community also is rallying in response. KyberVPK, a volunteer group of cybersecurity professionals, has published a guide in Finnish and English for how victims of the breach can recover. It includes mental-health advice (“take care of yourself; “you are not alone”) and tips on setting up two-factor authentication to secure accounts.
“I’ve witnessed many of us come together to help the victims of this despicable crime,” said Sami Tainio, a Finnish cyber professional.
As KyberVPK’s work has become known to victims, the members are getting more requests for technical help. People are “worried whether they might get malware on their computers if they open the ransom email, or even if their emails might have been hacked as a result of the breach,” KyberVPK’s Markus Räty, Anu Laitila, Ossi Väänänen and Mikko Kenttälä told CyberScoop in a joint email.
KyberVPK is planning to stream a question-and-answer session on social media to explain a technically complex situation to the public. The police have thanked the white-hat hackers for their help.
“Many of our members have high technical skills and previous connections with the official agencies, and we have been helping the NBI by engaging in open source intelligence gathering and reporting our findings to them,” the KyberVPK representatives said.
The legal ramifications of the Vastaamo breach are still unfolding. There are demands for stricter data regulations in Finland, given the pain the incident has caused. The European Union’s General Data Protection Regulation (GDPR), under which authorities can fine companies for breaches, applies to Finland.
Jukka Lang, a Helsinki-based lawyer focused on data privacy, said there have only been a handful of incidents in which Finland’s data protection authorities have fined organizations for breaches. “The general awareness on the importance of GDPR obligations is still on a developing level,” he said.
Compounding matters, Finnish procedural law does not allow for class-action lawsuits, Lang said. That means the type of solidarity offered in the security realm by KyberVPK could be elusive in the court room.
“Many of the victims are nevertheless contemplating legal action,” Lang said. “Time for that may, however, be in distant future where the authorities have first investigated the matter.”