A hacker has begun publishing files of Finnish psychotherapy clients on the dark web in an attempt to extort patients after successive data breaches of private mental health company, Vastaamo.
After the therapist refused to pay the hacker’s ransom, the blackmailer turned to individuals clients demanding they pay hundreds of dollars in bitcoin or else find their innermost thoughts published to the world.
The hacker reportedly has access to data on 40,000 patients and has already posted some of that data on the dark web alongside corresponding patient names.
“We deeply regret what happened and on behalf of our customers who have been compromised,” Vastaamo said.
“We apologise for the shortcomings in data security, the consequences and human cost of which have become extremely heavy.”
Following the ransom note, an external cybersecurity team was brought in to investigate the incident and discovered a November 2018 breach that saw unauthorised access of its patient database.
That breach had gone undetected until Vastaamo noticed another breach in March last year and tightened its security.
Finland’s Central Criminal Police said it did not yet know who was behind the crime.
“There are currently several lines of investigation, and the police are doing their best to find out about the crime,” the department said in a statement.
“The police guideline is still that nothing should be paid to the blackmailer and paying the blackmailer cannot ensure that the information remains confidential. A criminal report must be made.
“We understand that victims whose privacy information has been disseminated experience anxiety and uncertainty.”
Highly unusual ransom case underway here in Finland: a private psychotherapy clinic was hacked, and the therapist notes for maybe even 40,000 patients were stolen. Now the attacker has emailed the victims, asking each for 200 € ransom in Bitcoin. #vastaamo— @mikko (@mikko) October 24, 2020
Mikko Hypponen, Chief risk officer at Finnish cybersecurity company F-Secure, said the incident was “highly unusual”.
“The attacker calls himself ‘ransom_man’, and is running a Tor site on which he has already leaked the therapist session notes of 300 patients,” he said.
“This is a very sad case for the victims, some of which are underage. The attacker has no shame.”
Hypponen pointed out that, while rare, this sort of cybersecurity ransom case is not unprecedented.
Last year, a US plastic surgeon’s office was breached with the bad actor saying they had “the complete patient’s data” which could “be publicly exposed or traded to third parties” unless the plastic surgeon paid a ransom.
Similarly, the plastic surgeon’s office reported hearing from up to 20 patients who received blackmail notices threatening to publicly release photos and other information if negotiations failed.
Public health services have been a regular target for hackers looking for an easy payday. Last October, hospitals in regional Victoria were hit by a ransomware attack that brought their systems to a halt.
It is now commonplace for ransomware attackers to exfiltrate and publish data on the dark web in order to extort payment from their victims.