Cyber Criminals Blackmail Psychotherapy Provider in Finland and its Patients

Vastaamo, a top psychotherapy service provider in Finland, has encountered a cyberattack that ended with stolen highly sensitive patient information. The attackers issued threats to post the stolen information if no ransom is paid and certain patient records were already exposed on the internet.

Vastaamo has roughly 40,000 patients in about 24 clinics in Finland. Last week, Vastaamo began notifying patients concerning the data breach after a person got in touch with three of its personnel and asked for payment of 40 Bitcoin ($500,000) to avert the posting of stolen patient details.

It isn’t just Vastaamo that has obtained ransom demands. Right after Vastaamo didn’t pay the ransom demand, the hacker who is called “the ransom guy”, likewise sent patients ransom demands asking them to pay €200 ($236) in Bitcoin to stop the exposure of their information. Early reports indicated that the data of about 300 patients were shared on a darknet web page, though later reports show a 10GB file comprising of records of about 2,000 patients was published on the dark web.

BBC reached out to one patient who stated the attacker gave him 24 hours to make the initial ransom payment or his teenage psychotherapy notes will be posted. The attacker additionally said the payment will increase to €500 ($515) if it wasn’t paid in 24 hours.

Vastaamo said on its web page that systems access seemed to have been acquired sometime in November 2018; nevertheless, one more breach happened in March 2019. The information stolen in the attack seems associated with patients who got treatment before November 2018, although it’s likely that records were stolen in the subsequent breach in March 2019.

As per Vastaamo, the breach impacted these data: client names, ID numbers, dates of appointments, and information manually inputted by the psychotherapy specialist, which might have contained care plans, notes from consultations, and reports given by the patients to authorities.

It is not clear at the moment how many of Vastaamo’s patients were affected by the breach, though Finland’s National Bureau of Investigation director, Robin Lardot, thinks thousands of patient files were compromised. It is likewise unknown why the threats were only issued. Most likely, a third party may have offered the stolen information and has started an extortion campaign.

Psychotherapy sessions records are among the most sensitive records kept by healthcare companies. Patients go over concerns in their sessions in a private setting where they feel secure. Data exposed in consultations might not have been revealed to anybody else. Finland’s interior minister termed the incident as “a shocking act which hits all of us deep down.” He also stated that Finland should be a nation where there’s help offered for mental health problems and it is available with no fear.

For a company giving psychotherapy services, the privacy of customer data is particularly essential, and the beginning point for all procedures. Vastaamo greatly regrets the exposure caused by the data breach. Vastaamo additionally released a statement stating it has terminated its CEO, Ville Tapio, for not telling its board of directors and parent corporation regarding the March 2019 breach.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at