Finnish police announced on Thursday that the personal data of tens of thousands of citizens had been compromised in a data breach of one of the country’s largest psychotherapy centers.
The hackers are now demanding 450,000 euros (~$530,000) in Bitcoin in exchange for not publishing the data, which according to Finnish National Broadcaster YLE, consists of patient names, telephone numbers, email addresses, and social security numbers, as well as sensitive mental health information, including notes from therapy sessions. The breach has rocked the small Nordic nation and filled the front pages of its largest daily newspapers.
In a statement posted to its website, Vastaamo, the company targeted by the hack, wrote: “An unknown hostile party has been in contact with Vastaamo and claims to have obtained confidential information from the company's customers. The Central Criminal Police launched a criminal investigation into the matter. Immediate notifications were also made to the Finnish Cyber Security Center, Valvira and the Data Protection Commissioner. In addition, Vastaamo took immediate steps to clarify the matter in cooperation with external and independent security experts.”
The breach was initially publically discovered on Wednesday when the personal data of a 100 patients was published to a site using the Tor anonymity network. The hackers then released the data of another 100 patients on Thursday before mysteriously deleting the site on Friday. But, according to Finnish law enforcement, victims have continued to receive emails directly from the hackers threatening to release personal information unless they paid between €200 (
$233) and €540 ($635).
“Police remind victims that the ransom should not be paid and does not guarantee the deletion of personal information or prevent possible misuse,” Finnish police wrote in a Sunday press release. “The case is very unfortunate for the victims and we would like to emphasize that the victims must not in any way blame themselves for being involved.”
Few details are publicly known about the breach, including the vulnerability or method that allowed the hackers to access Vestaamo’s database. However, Vastaamo did confirm that the initial breach most likely took place between November of 2018 and March of 2019, prompting questions of why the hackers have waited so long to ransom the data. Vastaamo also claimed that the database was currently secure and no information prior to November of 2018 had been released.
To make matters worse, today Finnish media reported that Vastaamo CEO Ville Tapio almost certainly knew about a seperate breach by the same group in March of 2019 for a year and a half. The company confirmed that it had fired Tapio and had initiated legal proceedings. But, a number of other questions still remain, including why law enforcement asked the company to not inform their patients that the breach had taken place. For now, police have remained relatively tight-lipped.
“On a Finnish scale, this is an exceptional data burglary, especially considering the sensitive nature of the material being spread online,” Marco Leponen, the director of investigation and crime at the Central Criminal Police said in a press release. “We understand that the victims whose personal information has been disseminated may experience anxiety and uncertainty. We encourage them to contact the Victim Support Service.”
In an email to Motherboard, Mari Ukkonen, the communications coordinator of the Finnish National Bureau of Investigation wrote “The National Bureau of Investigation (NBI) Finland is investigating the case that you linked about,” but did not provide further comment. Vastaamo did not immediately reply to a request for comment.