Back

Resources

Our team frequently publishes security articles, whitepapers, and produces written evidence for research programmes and formal inquiries. We publish these articles below, so keep checking back!

Therapy patients blackmailed for cash after clinic data breach

Many patients of a large psychotherapy clinic in Finland have been contacted individually by a blackmailer, after their data was stolen.

In what has been described as a “highly unusual ransomware case”, a hacker is demanding money directly from patients after an electronics patient record system in Finland was hacked.

According to reports from the BBC, private psychotherapy clinic Vastaamo was broken into and the therapist notes for up to 40,000 patients were stolen. It is believed that the hacker tried to extort money from the company first. When it refused, the hacker be an emailing the patients whose medical records and therapy notes were stolen, asking each person for €200 ransom paid by bitcoin.

The attacker calls himself ‘ransom_man’, is running a site on which, he has already leaked the therapist session notes of 300 patients. This is a very sad case for the victims, some of which are underage. The attacker has no shame.

It is believed that the hacker had previously spoken to Vastaamo to threaten the release of the data unless the company paid €400,000.

In a video blog about the incident, Finnish e-commerce expert Artem Daniliants said that in 2018, the company had its EPR system hacked and data was stolen. This data was released over the weekend and posted on a Tor-powered forum. He said the hackers asked Vastaamo for a ransom believed to be 500,000 bitcoins.

According to Daniliants, in Finland, an EPR system needs to be audited by the government to ensure it meets a certain level of security. This can be costly and time-consuming, so the Finnish government provides a less stringent policy for EPR systems, classified as “B-level”, which Daniliants said does not require the security audit.

“Vastaamo had a B-level EPR system and had the server exposed publicly,” said Daniliants. This generally goes against best practices for securing EPR systems, where external access is secured via a virtual private network (VPN).

“Their system was exposed to the whole internet and, unfortunately, according to the information I was able to find, it was Apache and PHP,” he said, adding that the company was running outdated versions of these open source servers, which had lots of security holes. “Most likely, the hackers just ran a security scan and found the vulnerable servers.”

BBC news spoke to a victim who said he was contacted by the hacker, going under the pseudonym “ransom guy”, who said the ransom would go up from €200 to €500 if it was not paid within 24 hours. After 72 hours, the victim said the hacker threatened to release the notes from his therapy sessions.

Ultimately this mistake could have been avoided with the proper precautions. Sadly, the real victims here are those who are threatened to have what may be their deepest darkest secrets divulged over the internet.

If you need any help or advice when it comes to keeping your business and its data secure contact one of the team today.