At a glance.
- A look back at the compromise of patient information at a large Finnish psychotherapy practice.
- SmileDirect suffers a data breach.
Finnish psychotherapy clinic breach explained.
Wired offers an in-depth look at the highly public breach of Finnish psychotherapy clinic Vastaamo that occurred last October. Some might say Vastaamo was doomed from the start. Considered the McDonald’s of psychotherapy in the small EU country for its accessibility and ease-of-use, Vastaamo boasted twenty clinics and approximately two hundred staff members. Ironically, its founder (and now ex-CEO) Ville Tapio was a computer coder at heart, which is why he used a web-based approach, implementing a voucher system for payment and scheduling and offering online services that would allow patients both easy access to treatment and anonymity. Tapio kept as much as possible online, including invoicing and session notes, in order to automate administrative tasks and free up therapists’ time. To pull this off, Tapio designed his own browser-based records system, storing patients’ records on a MySQL server. The system met his goal of being user-friendly, but betrayed his lack of experience in cybersecurity, as the highly sensitive files it contained weren’t anonymized or even encrypted.
Worsening matters, when the Finnish government decided to split medical information systems into two classes, Tapio claims that Vastaamo fell into class B (the lower-security designation designed for smaller organizations with pen-and-paper records) as the government hadn’t yet specified how psychotherapy practices should format their data. Tapio blames the lack of government regulation for the breach, as authorities allegedly signed off on his system multiple times.
Tapio first learned of the breach when the attacker, “ransom_man,” contacted him to demand 40 bitcoin in exchange for the stolen data. When he didn’t pay up, the hacker posted messages on anonymous public discussion boards declaring he would release the records of one hundred patients a day until he was paid and ridiculing Vastaamo for its lack of security. As clients learned of the attack, many of them offered to pay the ransom themselves. Still, ransom_man eventually released the entire 10.9GB database, including session notes concerning highly sensitive topics like suicide and adultery. He then changed tactics, making the unusual choice of going directly to individual patients to demand payment in exchange for deleting the data. In the end, it’s estimated that around 30,000 clients were contacted and about thirty payments were made. Ransom_man was never caught, and the exact cause of the breach is still being debated.
But the impacted patients’ most intimate thoughts are still floating around on the web, and the attack emphasizes the need for electronic medical systems that are simultaneously easy to use and secure. And if they're trading security for ease-of-use, patients should be aware of what they're choosing, and should do so with a clear understanding of the risks involved.
SmileDirect must grin and bear it.
MarketWatch reports that teledentistry company SmileDirect saw its stock drop over 7% after officially disclosing that it had suffered a cyberattack. Though the company has stated that “no ransom was paid,” they have not explicitly disclosed that the incident was indeed a ransomware attack. Their official statement explained, “At this time, the company is not aware of any data loss from, or other loss of assets as a result of, the incident, including any exposure of customer or team member information.” However, they did admit that the attack resulted in disruptions to many of their operations and services, and that they expect a loss of up to $15 million in revenue, which was clearly enough to cause anxiety among investors.