Hackers have accessed patient records at Finland’s largest private psychotherapy system, emailing some patients to pay up or face having their private medical records released online.
Vastaamo treats about 40,000 patients and runs 25 centers across the country. Hackers emailed some of the centers’ patients asking for a blackmail payment of 200 euro in bitcoin, The Guardian reports.
Agencies such as the country’s National Bureau of Investigation are urging victims not to comply with the blackmailers’ demand and instead requesting that patients report these incidents to authorities and turn over incriminating emails. However, some data from patient records have already been released online.
“We deeply regret what happened and on behalf of our [patients] who have been compromised, we apologize for the shortcoming in data security, the consequences and human cost of which have been extremely heavy,” the center said in a statement. They added that the investigation into the situation is ongoing.
‘Sobering reminder’
In a comment, John Torous, MD, director of digital psychiatry at Beth Israel Deaconess Medical Center, Boston, Massachusetts, said this is “a sobering reminder that any digital data is subject to hacking.”
Torous is also chair of the American Psychiatric Association’s Health and Technology Committee.
“This is not the first time psychotherapy notes have been targeted and it actually happened, on a smaller scale, in the US in 2017,” he said.
In April of that year, confidential patient record information from a mental health center in Maine, including evaluations, session notes, and names of sex-abuse victims, was listed on the dark web.
Also in April, computer hackers released the WannaCry virus into the operating system of the United Kingdom’s National Health Service, which subsequently locked clinicians out of patient records and other digital tools for 3 days.
In addition, in 2016 hackers took Hollywood Presbyterian Medical Center in Los Angeles offline for more than a week after demanding a ransom of $3.6 million.
Criminal investigation
For Vastaamo, three of its employees were approached by the blackmailer via email at the end of September, the company reports. These incidents were immediately disclosed and the Central Criminal Police launched a criminal investigation.
In addition, several agencies were contacted, including the Finnish Cyber Security Center, the Data Protection Commission, and a cyber security company.
Investigators believe the breach, which led to the customer database theft, occurred back in November 2018. In addition, security “deficiencies” remained until March 2019.
“We do not know that the database was stolen after November 2018, but it is possible that individual data [have been] viewed or copied,” Vastaamo said in a press release. No additional “vulnerabilities were identified after March 2019.”
The center’s CEO, Ville Tapio, who did not disclose any of these incidents to the parent company and its board of directors, was subsequently fired.
Once the police investigation began, Vastaamo said it was not granted permission by the authorities to communicate the occurrence to its patients. However, after the blackmailer released some patient information online early on Oct. 21, permission to inform patients was granted.
The company noted that the blackmailer has started emailing victims, informing of the data breach, and demanding ransom. So far, the emails have not contained harmful digital content or “malware,” but authorities warn that any attachments should not be opened. The police have requested that such emails be kept so they can be used as evidence.
In a Q&A section on its website, Vastaamo noted that videos are never recorded during its centers’ telehealth sessions and patients should not be concerned about the possibility of leaked videos.
In addition, the cybercrime has not interrupted Vastaamo’s operations.
“The authorities and the response office will do their utmost to find out what happened, to prevent the dissemination of information, and to bring the perpetrators to justice,” the center said.
“The most important task ... is to support customers in the midst of an exceptionally serious and difficult situation,” it added.