A hacker is trying to blackmail tens of thousands of Finnish patients after gaining access to their medical records from therapy sessions, in what experts and the country’s top politicians called a “shocking” cyberattack.
The attacker or attackers — it is unclear who or how many are behind the attack — is threatening to leak mental health records onto the internet unless the patients provide payment in bitcoin. Some of the people whose data has been stolen are underaged.
“This is an especially shitty attack and it’s quite unusual even on a global scale,” said Mikko Hyppönen, chief research officer at Finnish cybersecurity company F-Secure. “What we have here is someone who is completely devoid of sympathy for his fellow beings.”
He added: “Every single infosec professional in Finland is trying to find the attacker.”
The attacker obtained records of Vastaamo therapy center dating back as early as November 2018 and likely extending through March 2019, the center said in a press statement.
Prime Minister Sanna Marin tweeted that the hack was “shocking in many ways” and that the government is looking at ways to help victims.
The attacker started by leaking small amounts of patient data and sought to extort the center’s management to pay a ransom. But over the weekend they changed their tactics, emailing tens of thousands of patients to pressure them to pay up as well.
‘It was scary’
One of these patients was Julia, who said she saw a psychotherapist through Vastaamo for a year from 2017.
Late on Saturday, she received an email in which the hacker gave her 24 hours to pay €200 in bitcoin, and another 48 hours to pay €500. Unless she provided the funds, the email read, her data, including home address, phone number and transcripts from therapy sessions would be published online. The email referred to Julia’s unique social security number.
“It was scary. I have never experienced anything like that,” said Julia who asked for her last name not to be disclosed. “I don’t feel ashamed about going to therapy. But someone has all my other information, and they could steal my identity.”
Finnish police are tracking down the attacker. Marko Leponen of the National Bureau of Investigation told local media that victims “should not agree to the demands of the blackmail message” but rather file a crime report.
The attack comes as Europe is rushing to find ways to better share health data across the European Union. Finland is well advanced in this respect, partly thanks to its social security number system in which each citizen is granted a personal identifier that they use for any official business or dealings with the state.
Miapetra Kumpula-Natri (S&D) the rapporteur for the European Parliament’s report on data said the costs of proper cybersecurity should always be factored in from the very beginning.
“When we think about artificial intelligence and how much money we could save with that, we should take cybersecurity into account,” Kumpula-Natri said on Monday. “It’s difficult to find a sector that doesn’t use sensitive data.”
The European Union Cybersecurity Agency ENISA in its annual Threat Landscape report last week flagged ransomware as one of the top 15 threats to European citizens in 2020. The European Cyber Crime Center singled out ransomware as a top threat in its annual report this month.