Therapy patients blackmailed after data breach.
Finnish Psychotherapy Center Vastaamo has suffered a data breach with loss of patient information, and extortionists have begun targeting individual patients with demands for hundreds of euros in exchange for keeping their data private. The incident is notable for its cruelty: private notes from the therapeutic sessions of about 2,000 patients have already been posted online, and the victims themselves are being asked to pay to have their information taken down.
Details of the breach remain sparse, but Computing reports that some 40,000 patients' data were compromised. Around 15,000 victims have already filed criminal reports, and the incident has received attention at the highest levels of Finland’s government. The Guardian quotes Robin Lardot, director of Finland’s National Bureau of Investigation, as saying, "We are investigating an aggravated security breach and aggravated extortion, among other charges."
Yle Uutiset reports that Vastaamo sustained two breaches—one in 2018 and one in 2019. The company has dismissed its CEO after concluding he’d been aware of the second breach for more than a year without disclosing it. CyberScoop says the attackers initially approached Vastaamo itself last month with a demand for around €450,000, which the company refused to pay. The criminals then began going after patients directly.
Victim Support Finland has advice for those affected.