Ransomware attacks have surged around the world in recent months, targeting big corporations and critical organizations like hospitals. But digital extortion comes in many forms. And a particularly vicious assault is currently taking place in Finland, where a hacker is threatening to release therapy notes and other data stolen over the last two years from one of the country's largest psychiatric services clinics.
The health care and mental health services provider Vastaamo says it first began investigating a possible breach at the end of September, when a hacker contacted three of the organization's employees with extortion demands. Since then, Vastaamo has been working with the private security firm Nixu, Finland's Central Criminal Police, and other national law enforcement agencies to investigate the situation. It seems that Vastaamo had at least one exposed database of patient information that was breached in November 2018 and likely again in mid-March 2019. It is unclear how many patients were affected, but the National Bureau of Investigation said on Sunday that the number could be in the tens of thousands.
The hacker or hackers running the extortion campaign have been demanding 200 euros' worth of bitcoin, about $230, from victims within 24 hours of the initial ask, or 500 euros ($590) after that, or else they'll make their information public. A hacker persona "ransom_man" has set up a site on the anonymous web service Tor that already lists leaked data from at least 300 Vastaamo patients. Finnish media reports also indicate that Vastaamo has received a demand for around $530,000 worth of bitcoin to keep the stolen data out of the public domain.
In a statement updated on Monday, Vastaamo said that a managing director had been removed over the incident. "The authorities and the Response Office will do their utmost to find out what happened, to prevent the dissemination of information and to bring the perpetrators to justice," the release says, as translated by Google. "We apologize for the shortcomings in data security, the consequences and human cost of which have become extremely heavy."
Finland's Central Criminal Police said in a statement that it was investigating the incident as aggravated burglary, aggravated extortion, and dissemination of aggravated invasions of privacy, adding that situation is "exceptional … due to the sensitivity of the material disseminated online," as translated by Google.
Data extortion attacks can come in many forms. For example, a common type of email scam involves a threatening to leak nude photos or other sexually explicit imagery of a victim if they don't pay up. These types of messages are often a pure bluff, personalized to contain one of the victim's old passwords exposed in a historic data breach as a way of attempting to legitimize the demand.
But while the concept may be widely known, the practice is widely viewed as especially immoral. And leaking mental health patient data for extortion appears to be a new low.
"I’ve seen a lot, but I haven’t seen this," says Mikko Hyppönen, chief research officer at the security firm F-Secure in Finland. "It's such a sad case, and this attacker has no shame. To get justice to the victims, I’d like nothing more than to get the person behind this arrested. However, I’d also like to see the Vastaamo clinic be held responsible for failing to protect critical patient data."
Hyppönen and others point out that there is another known example of patient data being used in extortion schemes; in 2019 attackers used breached plastic surgery data from an office in Florida in an attempt to blackmail patients.
One reason there may not be more known examples of this type of extortion is that attackers who steal medical data can often monetize it simply by selling the victims' financial data, like insurance information and credit card numbers, on the black market. That may be more lucrative than essentially going door to door for shakedowns. But clearly there are times when attackers monetize by other means.
"In the US, mental health treatment records are considered to be more sensitive than even normal health care data; only certain physicians can access those notes," says Nina Alli, executive director of Defcon's Biohacking Village and a health care security researcher. "But regardless of country, this is a situation where you're being emotionally naked and putting yourself out there for treatment, so the stakes are just so high that this data must be kept confidential."
For many patients of Vastaamo's clinics, though, it's already too late.