Hackers Hit Therapy Center for Patient Data

Pandemic-induced stress and anxiety are on a constant rise, according to all reports, and the demand for therapy has thus never been higher.  Hackers are taking notice.  In Finland, we now have reports of a psychotherapy center experiencing a data breach.  Approximately 300 patients of the practice, which is operated by a company called Vastaamo, began receiving emails about paying ransoms, or else their information would be publicly exposed.  How many records were stolen has not been publicly disclosed, though the hackers are asking for either €200 or €500 from a majority of the patients.  Politicians and children are among those affected.  The data stolen involved personal and health information, therapist notes, care plans and management goals.

An investigation has begun, including multiple parties such as the Finnish Cyber Security Centre and the National Bureau of Investigation, among others.  Vastaamo apparently declined to pay the 40 bitcoin ransom the hackers were demanding of them (which is about €450,000 or $580,000).  If this is the case, I hope the investigators work fast.  According to the clinic, the culprit has indeed released a sample of patient information on the dark web.  Nevertheless, the recipients of the emails have been advised not to pay, taking a similar track as the clinic itself.  They are also being offered a free session with a therapist.

One interesting wrinkle behind this is that it is still unknown whether the hackers and the senders of the ransom email are the same person or group.  Authorities are telling the clinic that payment may not guarantee safety for their data.

Since the confidentiality between patient and therapist is as sacrosanct as with any other doctor, the severity of this type of breach is clear.  Ordinarily, this isn’t quite the type of health data we hear about in news stories.  But as more people feel the need to seek professional help to cope with uncertain times, perhaps hackers taking aim shouldn’t be a surprise.  Of course, session notes themselves won’t generally be of any interest to cyber criminals, but any financial data they can wriggle out of this business will drive them forward, and medical data continues to garner high prices in the digital underworld.  Clinics like Vastaamo should therefore stay on top of things, and make sure their patients don’t have another anxiety to discuss with their therapist.


By: Jonathan Weicher, post on October 28, 2020
Originally published at: https://www.netlibsecurity.com
Copyright: NetLib Security