Vastaamo, the Finnish private psychotherapy practice at the centre of a ransom heist that has seen its patients directly threatened by cyber criminals, is facing tough questions over its business practices and possible legal action, after its ex-CEO attempted to cover up the initial November 2018 breach that saw its data stolen.
In a statement, Vaastamo said it was first approached by blackmailers at the end of September 2020, and reported this to the police as well as to the Finnish National Cyber Security Centre, the National Supervisory Authority for Welfare and Health, and the Data Protection Commissioner. It also enlisted security firm Nixu to assist with a full investigation.
It currently believes that following the initial breach of its electronic patient record (EPR) system in November 2018, its attackers retained access until the middle of March 2019, when a second incident cause Vastaamo to become aware of the problem and to take corrective measures.
“The current board of directors and majority shareholder of the company were not informed of the data system break-in of March 2019 or of the information security shortcomings in the company’s systems,” Vastaamo admitted in a public statement.
“It has not been possible to obtain full certainty about the course of the investigation. However, it is obvious that there have been shortcomings in Vastaamo’s security that have allowed criminals to break into the database before mid-March 2019.
“We deeply regret what happened and on behalf of our customers who have been compromised. We apologise for the shortcomings in data security, the consequences and human cost of which have become extremely heavy.”
According to reports in Finnish media, assets of Vastaamo’s dismissed CEO Ville Tapio and his parents, totalling €10m, have now been seized by authorities at the request of the majority owner of the business, PTK Midco, the holding company behind the investment vehicle that bought Vastaamo in 2019.
Tapio is being accused of being well aware of severe cyber security failings at Vastaamo, including the November 2018 hack, and of failing to tell the new owners about this cyber attack at the time of the sale.
PTK Midco believes it is possible that Tapio will “conceal, destroy or surrender” property or act in a way that jeopardises its claims.
F-Secure chief researcher Mikko Hyppönen said the attack on Vastaamo was a highly unusual incident. “I’ve seen a lot, but I haven’t seen this,” he said. “Tens of thousands of victims are blackmailed with the publication of highly private information. I don’t think there’s a crime in our criminal history that would have more victims than this one.
“To get justice to the victims, I’d like nothing more than to get the person behind this arrested. However, I’d also like to see the Vastaamo clinic to be held responsible for failing to protect critical patient data.
“The patients and the therapists did nothing wrong. They are innocent, but they pay the highest price.”
Hyppönen’s team at F-Secure is now attempting to establish the identity of Vastaamo’s attackers by collecting the bitcoin wallet addresses to which any ransom payments made by its patients are being sent.
In a tweet published earlier today (28 October), Hyppönen asked anyone who has paid the ransom to contact him directly via the email address on his social media profile.
Helsingin Sanomat, psychotherapists who have worked at Vastaamo, have talked of a toxic internal culture and a poor reputation for overly aggressive communications and marketing practices.
This may be an indication of wider attitudes towards data security at the business. It is thought, although not confirmed, that the leaked patient data was taken from unsecured servers left facing the public internet, making their exploitation by malicious actors a relatively trivial affair.