Therapy Center Hacked, 40,000 Patients Sent Ransom Demands

A psychotherapy center was hacked, losing sensitive healthcare data on more than 40,000 patients. The Finnish medical organization received a ransom demand, but so did the patients themselves.

The CEO has been “relieved of his position.” Ville Tapio (pictured) is said by the board to have covered up at least part of the situation. It’s reported he knew about the data leak for 18 months.

Nice hair, though. In today’s SB Blogwatch, we fear for the real victims.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Eggy.

What’s Finnish for HIPAA?

What’s the craic? Melissa Heikkilä and Laurens Cerulus report—“Hacker seeks to extort Finnish mental health patients”:

 Police said on Saturday that a hacker had started emailing more than 40,000 patients whose data was stolen from the Vastaamo psychotherapy center … in what experts and the country’s top politicians called a “shocking” cyberattack. … The attacker obtained records of Vastaamo therapy center dating back as early as November 2018 and likely extending through March 2019.
…
The attacker started by leaking small amounts of patient data and sought to extort the center’s management to pay a ransom. But over the weekend they changed their tactics, emailing tens of thousands of patients to pressure them to pay up as well.

Törkimys! Jussi Salmela, Minja Rantavaara, Essi Sutinen, Anniina Rimpiläinen, and Ilkka Hemmilä are lost in translation—“All this is known about the data breach”:

 The hacking at the psychotherapy center … came to light on Wednesday, October 21, when the suspected hacker released information about Vatsaamo’s customers and demanded an equivalent amount of approximately [$450,000] in bitcons from Vastamo. … The blackmailer also continued to publish data on Thursday and Friday.
…
On Saturday night, several hacking victims received blackmail messages. The messages say that … the victim must pay, to keep their personal information secret [and] if the victim pays [$200] worth of bitcoins within 24 hours, their data will be permanently deleted from the server.
…
Thousands of criminal reports have already been filed. … The police do not yet know whether the perpetrator is Finnish or foreign.

So a ransomware attack, then? Gareth Corfield says no—“Hackers rummaged about in Finnish psychotherapy clinic”:

 Vastaamo went public about the hack last week after the details of around 300 customers were published on a Tor website. … Others with better knowledge of the local situation claimed that up to 40,000 people’s details had been stolen from the clinic.
…
The attack was a straight-up hack and ransomware was not used by the criminals. … It seems unusual that the hackers waited so long. … A rogue former employee could be one explanation.

Who do we know in Finland who’s good for a juicy quote? Ah yes, Mikko Hypponen—@mikko—of course:

 The attacker has no shame. What we have here is someone who is completely devoid of sympathy for his fellow beings.
…
This is a very sad case for the victims, some of which are under age. … Every single infosec professional in Finland is trying to find the attacker.

And mad_dr is mad as hell:

 Wonderful. Target and exploit the details of some of our most vulnerable fellow human beings for financial gain. … There is a huge amount of stigma attached to mental health in many societies.

Ransomware hackers are scumbags at the best of times, but even for them this is low. If this encourages even one person to choose to avoid seeking psychological help for an issue, rather than risk having details of their mental health put up for sale or made public … then these bastards deserve jail time.

What does Vastaamo have to say for itself? “The Board of Directors … has relieved the company’s CEO from office”:

 At the end of September … the blackmailer approached three Vastamo employees with a blackmail message. The matter was immediately reported to the Central Criminal Police, which launched a criminal investigation. … Immediate notifications were also made to the Finnish Cyber ​​Security Center, Valvira and the Data Protection Commissioner. … Co-operation was established with the cyber security company Nixu, whose experts began to investigate the technical implementation of the hacking.
…
An internal investigation … revealed that by mid-March 2019 … the company’s CEO has been aware of … Vastamo’s security vulnerabilities. [But] The current Board of Directors and the main owner of the company have not been informed … about the security deficiencies in the company’s systems.
…
The Board of Directors … has immediately relieved CEO Ville Tapio of his position. … PTK Midco Oy, the company’s main shareholder, has initiated legal proceedings on Monday, October 26, 2020, related to the acquisition of Vastamo.

Oopsy. Aleksi Teivainen digs in—“Vastaamo fires CEO, saying he knew about hacking for 18 months”:

 [The CEO] knew about the hacking of the service provider … for 18 months before the hacking was made pubic, Tuomas Kahri, the board chairperson at Vastaamo, revealed. … The psychotherapy centre has determined that its database was hacked in November 2018.

Nixu, a Finnish cybersecurity company, found later in its investigation that the centre was targeted also in another hacking, in March 2019. “It’s very likely that the chief executive has known about the issue at that point,” Kahri stated.
…
PTK Midco, a holding company owned by Intera Partners, has additionally launched civil proceedings in connection with the issue. … Intera Partners acquired a majority stake in Vastaamo in June 2019, after finding no indication of the data breach in the due-diligence audit conducted leading up to the acquisition. Tapio neglected to tell the new owner about the hacking, according to Kahri.

Darned socialized medicine. This could never happen in the good ol’ USofA. But Lily Hay Newman begs to differ—“An extortionist has turned a breach … into a nightmare for victims”:

 There is another known example of patient data being used in extortion schemes: In 2019, attackers used breached plastic surgery data from an office in Florida in an attempt to blackmail patients.
…
One reason there may not be more known examples of this type of extortion is that attackers who steal medical data can often monetize it simply by selling the victims’ financial data, like insurance information and credit card numbers, on the black market. That may be more lucrative than essentially going door to door for shakedowns. But clearly there are times when attackers monetize by other means.
…
Data extortion attacks can come in many forms. For example, a common type of email scam involves a threatening to leak nude photos or other sexually explicit imagery of a victim if they don’t pay up. These types of messages are often a pure bluff.
…
But while the concept may be widely known, the practice is widely viewed as especially immoral. And leaking mental health patient data for extortion appears to be a new low.

But but but … HIPAA! Imhotep scoffs at your naïveté:

 In the US, the reality is that your medical records are going to be stored electronically. I am unaware of any HIPAA rules that exempt any sensitive records, since they are all considered to be sensitive.

To the contrary, it seems that CMS (government overseer) has been pushing to get everything stored electronically. I spent the last decade of my career working with those systems.

Meanwhile, Patchouli Woollahra—@PatchouliW—snarks it up:

 Somewhere in the long list of very bad ideas lies “pissing off the infosec community of a very egalitarian society.”

And Finally:

Well, that was over easy

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Vastaamo