A large psychotherapy clinic in Finland is under heavy stress after a threat actor asked a ransom for a client database with confidential information stolen in a data breach that likely happened almost two years ago.

Thousands of patient records may be at risk as the private clinic is a nationwide practice with more than a dozen branches and other institutions contract its services.

Leaking records and extorting victims

Psychotherapy Center Vastaamo announced the incident last Wednesday, saying that the extortionist first contacted three of its employees in September, asking for 40 bitcoins (currently over $500,000) not to release stolen patient data.

The attacker threatened to publish patient data in an attempt to force the clinic into paying the ransom and kept their word. Since the public notice, they leaked at least 300 patient records on a site in the Tor anonymity network, according to a local source.

The matter escalated even further as the extortionist started to contact victims over email and asked for $240 in Bitcoin (EUR 200) to delete their records.

The messages have the subject line “Answering Office Information” and contain the recipient’s personal information.

The threat actor may have been encouraged to do this after several individuals finding the leak site offered to pay to have their information removed from the stolen database. For them, the blackmailer set a price of 0.05 Bitcoin (about $650), Ilta Sanomat reported.

The same newspaper said that the attacker “writes very good English” and that they rely on privacy-oriented email services. Initially, they used Tutanota, then switched to Protonmail and Cock.li, the latter allowing registration and usage over Tor and similar privacy services.

Pre-acquisition breach hidden

Vastaamo has been publishing updates about the incident almost daily since the initial public disclosure. Before this, the clinic informed the Finnish Cyber ​​Security Center, Valvira, and the Data Protection Commissioner.

Ethical hackers in Finland are also helping authorities, providing  the police any digital breadcrumbs they find on the extortionist, such as messages, screenshots of sites, and metadata.

Technical aspects of the hack are being investigated by cybersecurity company Nixu, who found that the incident likely happened in November 2018.

“Based on the investigations, it seems probable that the data breach that led to the theft of the customer database took place in November 2018” – Vastaamo

This means that sensitive information of customers registered after the breach is not included in the leaks, Vastaamo clarifies in its notifications.

It was not the only intrusion, though. In mid-March 2019, another breach occurred, and the CEO knew about it but decided to keep it a secret from the private clinic’s Board of Directors, authorities, and affected individuals.

Following this revelation, Vastaamo Board of Directors relieved Ville Tapio of his CEO position in the company.

It is not clear at this point in the investigation if the hackers stole the customer database but there is the possibility that the intruder viewed or copied the information.

The breach in March prompted steps that corrected the issues related to the protection of customer information, especially since Vastaamo was to be acquired by PTK Midco in May.

As part of the acquisition process, an external cybersecurity audit was commissioned in April-May 2019. It revealed no problems.

According to Vastaamo’s updates, Nixu’s investigation so far confirms that the clinic’s infrastructure did not have critical security vulnerabilities and did not suffer a cyberattack after March 2019.

PTK Midcon, owned by private equity firm Intera Partner, is the main shareholder of Vastaamo and started litigation on Monday about the acquisition process in May 2019.

Vastaamo is offering victims of the data breach support over the phone, advising on what to do if their private information has been leaked online.