Vastaamo psychotherapy data breach sees the most vulnerable victims extorted

Vastaamo psychotherapy data breach sees the most vulnerable victims extorted

“Hell is too nice a place for these people.” Never have we seen outrage about a cybercrime at such a level. The outrage is aimed at cybercriminals behind the data breach that occurred at Finnish psychotherapy practice Vastaamo. Vastaamo, which has treated some 40,000 patients, is a subcontractor to several major public-sector hospital districts. Finland’s president Sauli Niinisto called the blackmailing “cruel and repulsive.” Prime Minister Sanna Marin said the hacking of such sensitive information was ”shocking in many ways.”

What happened at Vastaamo?

For once it wasn’t a ransomware attack on a health care organization. Vastaamo was first breached in 2018, with a follow-up in March 2019, and on both occasions the attackers managed to steal tens of thousands of patient records. Due to the nature of the practice, the records contained extremely sensitive and confidential information about some of the most vulnerable people.

Sadly, it appears as though security levels were raised at Vastaamo only after the 2019 hack, and by then the data had already gone. Vastaamo was informed of the extortion in late September, 2020, when the three Vastaamo employees received an extortion message.

What did the attackers do to monetize the Vastaamo breach?

Vastaamo has been summoned to pay roughly half a million US dollars in Bitcoin. But that’s not the worst bit. Recently, the attackers started to send extortion messages to the patients, asking them to pay around $240 to prevent their data from being published. And that is a first, as far as we know—not just demanding a ransom from the breached organization, but also from all those that were unlucky enough to have their data on record there.

The aftermath

Here’s what’s been going on since the attack:

  • Vastaamo’s CEO Ville Tapio was fired by the board because he was considered to be aware of the breaches and of shortcomings in the psychotherapy provider’s data security systems.
  • Vastaamo’s owner, who bought the practice a few months after the second breach but was not informed about it, began legal proceedings related to its purchase.
  • Finnish police are still investigating, hindered by the long interval between breach and extortion demands. They are not even sure whether the extortionists are the same people as the initial attackers.
  • Finland’s infosec community has set up a website with guidance for the victims on how to recover from the breach.
  • Many of the victims are considering legal action against Vastaamo. Unfortunately, Finnish procedural law does not allow for class-action lawsuits.
  • The extortionists have already published some 300 files using the anonymous Tor communication software.
  • Various Finnish organizations have rapidly mobilized ways to help the victims of the breach, including direct dial numbers for churches and therapy services.

It will probably take some time before it becomes clear what went down exactly, if ever. And the number of leaked patient files and the way the patients are being extorted makes this case one of a kind. Let’s hope it stays that way.

Healthcare and cybersecurity in general

We at Malwarebytes have warned about security issues in the healthcare industry many times before, pointing out some major causes of inadequate cyber defenses:

  • The Internet of Things (IoT): Due to their nature and method of use, you will find a lot of IoT devices in hospitals. They likely all run on different operating systems and require specific security settings in order to shield them from the outside world.
  • Legacy systems: Quite often, older equipment will not run properly on newer operating systems, which results in an outdated OS or even software that has reached the end-of-life point. End-of-life means the software will no longer receive patches or updates even when there are known issues.
  • Lack of adequate backups: Even when the underlying problem has been resolved, it can take far too long for an attacked target to get back to an operational state. Organizations need to at least have a backup plan and maybe even backup equipment and servers for the most vital functions so they can keep them running when disaster strikes.
  • Extra stressors: Additional issues like COVID-19, fires, and other natural disasters can cut time and push aside the need to perform updates, make backups, or think about anything cybersecurity related. These stressors and other reasons are often referred to as “we have more important things to do.”

What should Vastaamo victims do now?

Some of the guidance given to Vastaamo clients applies to other situations, but some is very specific for this one. Should your data be leaked in a data breach, Malwarebytes published a quick checklist in 2018.

Vastaamo’s website has the following suggestions for victims:

  • Do not call 112 (Finnish 911 equivalent), as the emergency center will not be able to help with this.
  • Record and preserve any emails, messages, and other evidence you receive.
  • Record all information about the sender at the time of receiving the message in the crime report.
  • Do not pay the ransom
  • Do not distribute mails, as they contain personal information.

Victim Support Finland, backed by the Ministry of Justice, has more guidance in English for those who suspecttheir data may have been comprised in the Vastaamo breaches.

Stay safe everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.