HELSINKI (AP) – Finland´s interior minister summoned key Cabinet members into an emergency meeting Sunday after hundreds – and possibly thousands – of patient records at a private Finnish psychotherapy center were accessed by a hacker or hackers now demanding ransoms.
Finnish Interior Minister Maria Ohisalo tweeted that authorities would “provide speedy crisis help to victims” of the security breach at the Vastaamo psychotherapy center, an incident she called “shocking and very serious.”
Vastaamo, which has branches throughout the Nordic country of 5.5 million and operates as a sub-contractor for Finland´s public health system, said its client register with intimate patient information was likely stolen during two attacks that started almost two years ago.
The first incursion probably took place in November 2018 and “it is likely that our (data) systems were penetrated also between the end of November 2018 and March 2019,” Vastaamo said in a statement late Saturday.
The center said the unknown perpetrator or perpetrators had published at least 300 patient records containing names and contact information using the anonymous Tor communication software. “The blackmailer has started to approach victims of the security breach directly with extortion letters,” it said.
The National Bureau of Investigation said Sunday up to “tens of thousands” of Vastaamo clients may have had their personal data compromised. Police were looking for the possible culprits both in Finland and abroad.
A view of the offices of Vastaamo psychotherapy centre, in Pasila, Helsinki, Saturday, Oct. 24, 2020. Finland’s interior minister has summoned key Cabinet members into an emergency meeting Sunday after hundreds of patient records at a private Finnish psychotherapy center were accessed by a hacker or hackers who are seeking ransom from clients. Finnish Interior Minister Maria Ohisalo tweeted on Sunday that authorities would “provide speedy crisis help to victims” of the security breach at the Vastaamo psychotherapy center, an incident she called “shocking and very serious.” (Heikki Saukkomaa/Lehtikuva via AP)
It was not immediately clear if the stolen information included diagnoses, notes from therapy sessions or other potentially damaging information. Also, it wasn’t clear why the information was surfacing only now.
“What makes this case exceptional is the contents of the stolen material,” Marko Leponen, the National Bureau of Investigation’s chief investigator assigned to the case, told reporters.
Vastaamo urged clients who receive demands to pay money in exchange for keeping their information private – allegedly dozens already – to immediately contact Finnish police.
Finnish media reported that cyber-criminals have demanded ransoms of 200 euros ($240) paid in Bitcoin, with the amount increased to 500 euros unless paid within 24 hours. The psychotherapy center also reportedly received a ransom demand for 450,000 euros ($534,000) in Bitcoin.
Citizens reacted to the news with disbelief. It also prompted comments from Finland’s leaders. President Sauli Niinisto called the blackmailing “cruel” and “repulsive.” Prime Minister Sanna Marin said the hacking of such sensitive information was “shocking in many ways.”
The chief research officer of Finnish data security company F-Secure, Mikko Hypponen, told Finnish public broadcaster YLE that the case was exceptional even on an international level.
“I´m not aware of any such case anywhere in the world with such gross misuse of patient records,” said Hypponen, one of Finland´s leading data security experts and an internationally known lecturer on cyber-threats.
Hypponen also tweeted that he knew of “only one other patient blackmail case that would be even remotely similar: the Center for Facial Restoration incident in Florida in 2019. This was a different medical area and had a smaller number of victims, but the basic idea was the same.”
Various Finnish organizations have rapidly mobilized ways to help the victims of the breach, including direct dial-in numbers with churches and therapy services.
This version has been corrected to show a data security expert said the case is exceptional, not unexceptional.