Finland’s interior minister summoned key Cabinet members into an emergency meeting Sunday after hundreds of patient records at a private Finnish psychotherapy center were accessed by a hacker or hackers who are seeking ransom from clients.
Finnish Interior Minister Maria Ohisalo tweeted that authorities would “provide speedy crisis help to victims” of the security breach at the Vastaamo psychotherapy center, an incident she called “shocking and very serious.”
Vastaamo, which has branches throughout the Nordic country of 5.5 million and operates as a sub-contractor for Finland’s public health system, said its client register with intimate patient information was likely stolen during two attacks that started almost two years ago.
The first incursion probably took place in November 2018 and “it is likely that our (data) systems were penetrated also between the end of November 2018 and March 2019,” Vastaamo said in a statement late Saturday.
The center said the unknown perpetrator or perpetrators had published at least 300 patient records containing names and contact information using the anonymous Tor communication software. “The blackmailer has started to approach victims of the security breach directly with extortion letters,” it said.
The National Bureau of Investigation said Sunday up to "tens of thousands” of Vastaamo clients may have had their personal data compromised. Police were looking for the possible culprits both in Finland and abroad.
It was not immediately clear if the stolen information included diagnoses, notes from therapy sessions or other potentially damaging information.
Vastaamo urged clients who receive demands to pay money in exchange for keeping their information private — - allegedly dozens already - to immediately contact Finnish police.
Finnish media reported that cyber-criminals have demanded ransoms of 200 euros ($240) paid in Bitcoin, with the amount increased to 500 euros unless paid within 24 hours. The psychotherapy center also reportedly received a ransom demand for 450,000 euros ($534,000) in Bitcoin.
The chief research officer of Finnish data security company F-Secure, Mikko Hypponen, told Finnish public broadcaster YLE that the case was unexceptional even on international level.
“I’m not aware of any such case anywhere in the world with such gross misuse of patient records,” said Hypponen, one of Finland’s leading data security experts and an internationally known lecturer on cyber threats.
Various Finnish organizations have rapidly mobilized ways to help the victims of the breach, including direct dial-in numbers with churches and therapy services.