Tens of thousands of patients at a Finnish psychotherapy clinic may be at risk after a cyber-extortionist began leaking their records on the dark web.
Cabinet members were summoned to an emergency meeting in the nation’s capital over the weekend after it emerged the highly sensitive data was accessed at Vastaamo, according to AP.
The report claims the data was stolen from the public health sub-contractor in two raids between November 2018 and March 2019.
However, many questions remain, including the type of information stolen and why it has taken so long to surface. At least 300 records containing names and contact information have been published on a dark web site, presumably to show that the hackers mean business.
Individuals are also being sent extortion messages demanding €200 in Bitcoin to keep the data private, with the amount increasing to €500 unless paid within 24 hours. The clinic itself has apparently also been on the receiving end of a ransom demand of €450,000.
“The attacker calls himself ’ransom_man’, and is running a Tor site on which he has already leaked the therapist session notes of 300 patients. This is a very sad case for the victims, some of which are underage. The attacker has no shame,” said F-Secure chief research officer (CRO), Mikko Hyppönen on Twitter.
“I’m aware of only one other patient blackmail case that would be even remotely similar: the Center for Facial Restoration incident in Florida in 2019. This was a different medical area and had a smaller number of victims, but the basic idea was the same.”
Politicians queued up to slam the attacks. Interior minister Maria Ohisalo described the incident as “shocking and very serious” and said government support would be expedited to help those affected, while President Sauli Niinisto labelled it “cruel” and “repulsive.”
Warren Poschman, senior solutions architect with comforte AG, argued that the incident highlights the need for data-centric security policies backed by use of tokenization and format-preserving encryption.
“The reliance on firewalls, strong authentication, and passive database encryption to protect data is simply not enough — the data itself must be protected to ensure that when attackers gain access, customer and patient data will remain secure and privacy upheld,” he said.