Patients Blackmailed 2 Years After a BreachFinnish Mental Health Provider's Clients Threated With Data Exposure
Hackers are threatening patients of a Finnish mental health provider with the public release of their sensitive data exposed in a 2018 data breach if they do not pay a ransom. The case highlights how data breaches can open the door to additional cybercrimes over an extended period.
In an statement on its website, Vastaamo, a Helsinki-based psychotherapy clinic, says that it is "a victim of data breaches and blackmail." On Oct. 21, "an unknown hostile party" was in contact with the clinic, claiming to have obtained confidential information about its patients, the clinic states.
The news site Politico reports that the hacker started leaking small amounts of patient data and sought to extort the clinic to pay a ransom Then last weekend, the hacker changed tactics, emailing tens of thousands of patients to pressure them to pay up as well.
Finnish media site Helsingin Sanomat reports that the hackers on Oct. 21 published the data of some Vastaamo's clients and demanded the clinic pay about 450,000 euros ($525,000) in bitcoins to avoid further data leaks.
The clinic told authorities that it did not pay the demanded ransom, according to the news report. Over the following days, the blackmailer continued to publish more stolen clinic patient information.
Vastaamo says an investigation into the 2018 incident uncovered that the clinic was also the victim of second data breach in 2019. As a result of the investigation, the clinic's board has fired the CEO.
"Usually the CISO is the first to go. The CEO will be the first to go if there's no CISO, but that's a big flag."
—Chloé Messdaghi, Point3 Security
The recent investigation revealing the attack in March 2019 prompted the clinic "to rectify the lack of protection of the customer information system and to take measures to protect other information systems," the clinic's statement notes. "The company's current board of directors and the main owner had not been informed of the data breach in March 2019 or the security deficiencies in the company's systems."
The firing of a CEO in the wake of a data breach is rare, notes Chloé Messdaghi, vice president of strategy at security firm Point3 Security. "Usually the CISO is the first to go. The CEO will be the first to go if there's no CISO, but that's a big flag - if there's no CISO to fight for security budgets, it signals that the organization isn't security-savvy.
"The bigger problem is usually that the board of directors is not adequately investing in security, and may perhaps also even be engaged in hiding recent breaches such as this one."
Vastaamo and its cybersecurity forensics vendor are also working with Finnish government authorities on the breach investigation, the clinic notes in the statement. The company faces potential regulatory fines and other enforcement penalties in the wake of the incident.
Vastaamo is subject to the EU General Data Protection Regulation, says Brian Higgins a security specialist at Comparitech, a U.K. based product testing website. The maximum penalty for violations is 20 million euros ($23 million) or 4% of global annual revenue, whichever is higher.
"GDPR also provides data protection agencies with the authority to financially penalize organizations for failing to report any breach within a given timeframe," he says. "The fact that Vastaamo only fired their CEO after the entire incident made global news does not absolve them from any culpability under the regulation, and I would expect the Finnish authorities to be conducting a comprehensive investigation with a view to imposing appropriate penalties."
Database Breached in 2018
An investigation by cybersecurity firm Nixu found that the data security incident leading to the theft of a Vastaamo patient database took place in November 2018. "There had been a lack of protection of the customer information system ... which enabled criminals to access the customer database," Vastaamo's statement says.
"According to current information, the system may have been infiltrated until mid-March 2019. We do not know that the database has been stolen since November 2018, but it is possible that individual data has been viewed or copied."
An internal Vastaamo investigation found that in mid-March 2019, the clinic was hit by another data breach, the statement says. "It seems obvious that at this point, the CEO of the company had been aware of the data breach and had become aware of the security deficiencies of [the clinic]."
In recent days, the blackmailer published sections of the information obtained during the 2018 breach, the clinic says. "Now the blackmailer has begun to approach the victims of the breach with blackmail letters demanding a ransom," says a statement on the clinic's website.
Vastaamo tells Information Security Media Group: "The blackmailer has disclosed customer information and used it to approach people who were the target of the breach with ransom claims. However, for an individual data subject, we cannot know whether or to what extent the information obtained about him in connection with the burglary has been disseminated or used."
Politico reports that one Vastaamo patient received an email last weekend in which the hacker gave her 24 hours to pay 200 euros in bitcoin, and another 48 hours to pay 500 euros or the hacker would publish her data, including home address, phone number and transcripts from therapy sessions.
Other Blackmail Cases
In other breach-related blackmail incidents, hackers have tried to extract ransoms from individuals patients of U.S. healthcare providers.
For instance, in January, hackers exfiltrated patients' medical records from a Florida-based plastic surgery practice and then demanded a ransom be paid by the clinic and some of its patients to avoid further exposure of the data (see: Ransom Demanding Gangs Target Fresh Victims).
While attacks where hackers target individual patients with ransom demands are "especially nefarious," those schemes are also logistically complicated, says Saryu Nayyar, CEO of security vendor Gurucul.
"The attacker needed to steal the data, initially blackmail the organization, then individually blackmail the victims. That is a complex process with multiple potential exposures to law enforcement," she notes. "In short, it's a lot of work. and there are much simpler ways for cybercriminals to make money, which makes it unlikely to become a widespread attack method."