A data breach involving a mental health provider in Finland has devolved into a horrifying extortion scheme that includes the abuse of hypersensitive medical data, demonstrating how far some cybercriminals will go to make a profit.
After trying and failing to extort Vastaamo, a private Finnish medical provider that offers psychological and psychiatric treatments, a hacker identified as “ransom_man” sent ransom emails to the provider’s patients, threatening to publish their personal data—which, in addition to social security numbers, phone numbers, and emails, included some of the most sensitive mental health records imaginable, such as doctors’ notes and transcripts of conversations between patients and medical professionals—if the victims did not pay the demand.
The incident represents one of the first efforts by cybercriminals to extort individuals whose data is exposed during a breach, as opposed to the entity that controlled the data and is responsible for protecting it.
It is also remarkably brazen, not only exposing sensitive information that could cause any number of financial and personal repercussions, but also threatening to unwind years of careful treatment for patients dealing with severe mental health issues, several clients said.
“It’s an indescribable feeling when you know that someone has information of your traumas and is willing to use it against you,” said one patient who received a ransom email over the weekend and asked not to be named given the sensitivity of the information involved. “I feel like I have once again taken a step back in my treatment. It hurts to know that my journey to better health might take even longer now.”
The Helsinki-based company said the hacker demanded a ransom in return for the data but did not disclose information on the extent of the breach or whether it had agreed to pay. Vastaamo has tens of thousands of patients in 20 cities across Finland, according to News Now Finland.
The severity of the incident only became clear later, when the hacker leaked 100 patient records—including the records of those who were children at the time—to an anonymous Tor site and claimed to be in possession of 40,000 more.
The leak shocked patients not just because of how large the breach was or how brazen the extortionists were, but how much data Vastaamo had been storing.
“I was under the impression that those private conversations and notes would remain in physical form in order to avoid this kind of thing,” said Jere, who said he was a Vastaamo patient between 2016 and 2017. Jere asked that his full name and other identifying information remain confidential due to the sensitivity of the incident and information involved. “Those notes contain things I’m not ready to face, and I felt extremely proud that I was even able to say them out loud to someone.”
At first, the extortion scheme followed a familiar trajectory. The hacker wielded the stolen data to extort Vastaamo, threatening to publish 100 patient records per day until the company surrendered 40 bitcoin, or roughly 450,000 euros.
For two days, even as the hacker made good on his word, posting 200 more records, Vastaamo refused to budge. Then, on Saturday, the extortion scheme took a shocking turn for the worse.
Vastaamo patients began receiving personalized extortion emails, which included their name and social security numbers. The emails, sent in Finnish, demanded bitcoin payments in exchange for deletion of patient data. The demand increased the longer the victims waited, running from 200 euros for a payment within 24 hours to 500 euros for one made within 48 hours. After that, the information would be leaked to the public.
The emails attempted to place the blame on Vastaamo. “Because the management of this company has refused to take responsibility for their own mistakes, we will sadly have to ask you to pay to keep your personal information safe,” read the extortion note.
It is unclear how many patients have received the email or whether they were all sent by ransom_man. It is also difficult to trace how much money the extortion scheme has generated because the emails requested payments to unique bitcoin wallets.
Several patients told The Record that they have directly received demands in recent days threatening to expose their information if they don’t pay a ransom, putting their mental health at risk.
Maaret Pyhäjärvi said she received two extortion emails one hour apart on Saturday—the second email, which several patients that spoke with the Record confirmed receiving, changed the placement of a link included in the first. Beyond her name and social security number, the emails contained no indication that the hacker had read her medical records or picked her for her susceptibility to blackmail.
In a tweet, Maaret said she doesn’t plan to pay the ransom and explained that many Vastaamo patients had sought help from therapists to “deal with their own health proactively.”
Still, she acknowledged in a private message that she felt uncomfortable about some of the information the hackers have access to. “While I care little on my info becoming public, it includes stuff I have never seen myself (what therapists make notes on) and wouldn’t intend to go around,” she said.
For patients dealing with more serious mental health issues, the extortion scheme hit harder.
The Vastaamo patient who declined to provide her name said she wasn’t concerned when Vastaamo first notified her about the breach on October 22 because she assumed it would not affect her.
That changed three days later when she received an extortion email.
The patient, who disclosed that she sought health services at Vastaamo over a three-year period for moderate to severe depression and a generalized anxiety disorder, said the email triggered a mix of anxiety, disbelief, and panic.
“I’m feeling nauseous and am just trying to make sense of my thoughts,” she said. “I feel violated, like someone has literally gone through my brain.”
Jere, the Vastaamo patient from 2016 to 2017, also received one of the extortion emails. He was underage at the time and said the extortion note made him “extremely anxious and scared.”
But his mental health was not the only thing that worried him. Jere said he spent approximately four hours on Saturday contacting private and public authorities to warn them that his social security number had been stolen. He explained that that information is extremely valuable to petty fraudsters in Finland.
The uproar over the incident has placed the spotlight on Vastaamo’s handling of the breach and its cybersecurity practices in general. On Sunday, Interior Minister Maria Ohisalo summoned an emergency meeting with key cabinet members in Finland to discuss the incident, The Associated Press reported.
In a tweet, she called the incident “shocking and very serious” and urged authorities to provide immediate help to victims.
In a statement Saturday, Vastaamo announced that it may have been breached twice—once in November 2018 and again between that time and March 2019. That contradicted Vastaamo’s first press statement about the incident, which stated that data entered after November 2018 had not been affected in the breach.
Under the European Union’s General Data Protection Regulation, Vastaamo could be subject to fines of up to 4% of its annual revenue or 20 million euros, whichever is greater.
Finland’s National Bureau of Investigation launched an investigation into the incident last week. It has advised victims not to pay the ransom demands and to submit electronic incident reports to the police if they receive an extortion email.
That system is suffering some difficulties of its own. On Saturday night, the incident reporting portal crashed after it was overwhelmed by requests from victims.