The response to a data breach at a prominent Finnish psychotherapy practice intensified over the weekend after cybercriminals reportedly posted batches of patient information on the dark web and claimed that individual people could protect their data by directly paying a ransom.
The breach at Vastaamo, which has locations throughout Finland, prompted an emergency meeting of the country’s Cabinet on Sunday. The company said the incident happened as early as November 2018. Local news reports say the attackers didn’t contact Vastaamo with any demands until September of this year.
Neither the company nor Finnish investigators have released many details about the nature of the breach, but reports say the attackers initially sought a payment of about 450,000 euros to protect about 40,000 patient records. The company reportedly did not pay up. Given the scale of the attack and the sensitive nature of the stolen data, the case has become a national story in Finland. Globally, attacks on health care organizations have escalated as cybercriminals look for higher-value targets.
Cybersecurity researcher Mikko Hyppönen told Finnish newspaper Ilta-Sanomat that the breach is probably the work of more than just one person. The case is highly unusual, according to the researcher, in that it’s rare to see this level of blackmail in a health care data breach. Hyppönen is research director for Helsinki-based F-Secure.
Vastaamo said customers and employees had “personally been victims of extortion” in the case. Reports say that on Oct. 21 and Oct. 22, the cybercriminals began posting batches of about 100 patient records on the dark web and allowing people to pay about 500 euros to have their information taken down.
The company has opened a crisis hotline for patients to call, with therapists available for free, and says it is working with credit-reporting organizations to protect the personally identifiable information of anyone affected by the breach.
In a statement Monday, Interior Minister Maria Ohisalo called the extortion attempts “exceptionally cowardly.”
“We must not give in to the blackmailers, and the perpetrators must be held accountable for their actions,” she said, according to a translation of her statement.
Vastaamo, which operates as a subcontractor for Finland’s national health system, said that as far as it knows, patient data created after November 2018 was not breached.