Hackers rummaged about in Finnish psychotherapy clinic – now patients extorted with public data dump threats

A Finnish psychotherapy centre was hit by hackers who stole therapy session notes – before threatening patients of the clinic with ransom demands amid selective dark web leaks of stolen material.

“Psychotherapy Center Vastaamo has been the victim of data breaches and blackmail,” said the Helsinki-based clinical chain late last week (in Finnish), adding: “In recent days, the blackmailer has published sections of the information he obtained during the hacking. Now the blackmailer has begun to approach the victims of the breach with blackmail letters demanding a ransom.”

Vastaamo went public about the hack last week after the details of around 300 customers were published on a Tor website, according to infosec firm Bitdefender’s corporate blog.

Company chairman Tuomas Kahri told local newspaper Helsingin Sanomat (in Finnish) that “no information has been leaked since November 2018”. He added, in a statement on the clinic’s website first issued last week, that “it is likely that our system [was also] infiltrated between the end of November 2018 and March 2019.”

The statement continued: “We do not know that the database was stolen in this context, but it is possible that individual data was viewed or copied during that period,” explaining that while local admins could tell that a customer database had been accessed by the criminals, they couldn’t tell precisely whose data had been stolen.

Others with better knowledge of the local situation claimed that up to 40,000 people’s details had been stolen from the clinic. Mikko Hyponnen, chief research officer of Finnish infosec firm F-Secure, tweeted:

He added that the attack was a straight-up hack and ransomware was not used by the criminals.

A crisis hotline was made available for victims of personal extortion attempts to access support and therapy, while the local authorities – including Finland’s equivalent of the National Cyber Security Centre and the country’s data protection body, investigate the hack.

It seems unusual that the hackers waited so long to target the clinic, assuming the clinic’s own assertion that the illicit access stopped in March 2019 is accurate. Insider threat – potentially from a rogue former employee – could be one explanation, though the company has not yet responded to The Register‘s enquiries.

In this day and age, hacks and ransoms are synonymous with encryption malware: ransomware. Demands for payment in exchange for not publishing stolen data are relatively rare, though last year the South African city of Johannesburg faced such a demand – and publicly vowed to ignore it.

Local police have advised those affected (in Finnish) not to pay the ransom and asked that they preserve any messages as evidence and contact the police immediately. “Do not agree to the demands of the blackmail[ers],” advised Marko Leponen, chief inspector of the Keskusrikospoliisi (National Bureau of Investigation). ®

READ MORE HERE