We trust that our medical records are safe and confidential, but what happens when they are accessed by an external hacker?
The answer unfortunately has been found out by patients of a Finnish psychotherapy clinic when they were individually targeted by a blackmailer who had stolen their data from the clinic.
What You Say is What is Seen
Among the data stolen about patients include personal identification records and notes taken on discussions during patient therapy sessions.
The clinic, Vastaamo, is a nationwide practice encompassing 20 branches and many thousands of patients. Those targeted so far from the data breach have been advised by the clinic to contact police as a matter of urgency.
If it was an individual case it would be one thing, however it has been discovered that the data had been stolen as far back as November 2018 with a further breach in early 2019 around March. This has led to around 300 records being published on the dark web in a major crisis in data security for the company.
Vastaamo is fully cooperating with authorities although it is reported that their media centre email address is not working. In accordance with those affected, the clinic offers those affected a free therapy session that will be unrecorded.
Pattern of Threat
Finnish government officials assembled an emergency meeting labelling the situation “exceptional”, with a focus that the attacker has a level of zero shame in their actions.
A number of the patients targeted were also under age, which highlights a very disturbing focus of the attacker in question.
An interviewed victim explained that someone labelling themselves “The Ransom Guy” presented him with an ultimatum ransom. As Vastaamo had refused to pay a ransom of 40 bitcoin to the thief, the victim was ordered to pay 200 Euro in Bitcoin which would rise to 500 if not paid in 24 hours. Failure to pay the ransom within 72 hours would result in records from his teenage sessions being published online.
With details documented in the notes of a sensitive nature to the victim not wanting to be shared with the world, extreme discomfort and vulnerability of the victim became a playing card to the attacker. With no guarantee that the attacker would not publish the material after a ransom had been paid, and with information of a paying victim able to be made to other parties, not paying the ransom is a lose/lose factor.
By accessing the notes taken by the youth’s therapist in a physical notebook that was sworn never to be uploaded to any server, it has left Vastaamo in a precarious position of how their records and process of information is stored as well as the confidential elements being made available against the clients wishes.
With the potential victims forced to pay a ransom or risk their information being dumped on network’s rife for exploitation from many other parties, identity theft and online blackmail has now taken a very sickening level of depravity in what is considered a data breach.