Therapy patients blackmailed for cash after clinic data breach
- Published
Many patients of a large psychotherapy clinic in Finland have been contacted individually by a blackmailer, after their data was stolen.
The data appears to have included personal identification records and notes about what was discussed in therapy sessions.
Vastaamo is a nationwide practice with about 20 branches and thousands of patients.
The clinic has advised those affected to contact the police.
It said it believed the data had been stolen in November 2018, with a further potential breach in March 2019.
'Great crisis'
Vastaamo said in a statement it was cooperating with the police.
But its media centre's email address is not working.
About 300 records have already been published on the dark web, according to the Associated Press news agency, external.
On its website, the clinic calls the attack "a great crisis".
'No shame'
It has set up a helpline and is offering all victims one free therapy session, the details of which will not be recorded.
The Finnish government held an emergency meeting on Sunday night, with Interior Minister Maria Ohisalo calling the situation "exceptional", news site Yle reported.
Mikko Hypponen, from cyber-security company F-Secure, tweeted the attacker, external "had no shame".
"This is a very sad case for the victims, some of which are under age," he added.
'Extremely uncomfortable'
Jere - who asked for his surname not be published - told BBC News someone calling themselves "the ransom guy" had told him:
Vastaamo had refused to pay 40 bitcoin (£403,000)
He would now have to pay €200 (£180) in Bitcoin
After 24 hours, the ransom would rise to €500 euros
After 72, data from sessions he had as a teenager would be published
"I'm anxious about the fact that the attackers are in possession of my notes and conversations from those psychiatrist sessions," Jere said.
"Those notes contain things I'm not ready to share with the world.
"And having someone threaten me with said notes certainly makes me extremely uncomfortable."
'Identity thefts'
His therapist had taken notes in a physical notebook, Jere said.
But he had not been told these would be uploaded to a server.
Jere said he could not afford the ransom, adding: "I feel like paying won't guarantee that my data will remain safe.
"I'm scared that I'll end up like the first 300 people who had all of their info dumped on [anonymity network] Tor, with people going through them, reading everything about their lives and abusing their info for identity thefts."
- Published18 September 2020