There’s an update to previous post about a ransom situation in Finland impacting 40,000 psychotherapy patients at Vastaamo. As initially reported by Vastaamo, a psychotherapy practice with multiple offices and locations, they had been hacked and the hacker had acquired records of patients who had registered before the end of November 2018. Other sources reported that the hacker had demanded approximately half a million dollars not to dump the data, but that was not confirmed by Vastaamo, who states that they started notifying the public and patients as soon as the government authorities gave them permission to do so. Ilto-Sanomat reports the blackmailer contacted them and is demanding 40 btc (450,000 euros).
Vastaamo has updated its web site with the latest development, and others are discussing it on social media, where the threat actor’s language fluency in Finnish — or lack thereof — has been discussed, as well as the attacker seeking help writing ransom demands in Finnish. The request for help could have been misdirection, of course.
According to Vastaamo, the ransom messages are titled, for example, “Answering Office Information” and contain the patient’s personal information. Vastaamo wants patients to know that such messages are not coming from Vastaamo’s Answering Machine.
The types of information the attacker may have acquired include contact information and personal identity number. A google translation of Vastaamo’s FAQ follows:
Based on these, the customer number (customer ID) created for each customer contains information manually entered by the healthcare professional. Discussions are not spelled out, but the entries are narrower professional entries. The dates of visits marked as completed and unrealized, as well as appointment entries and log information on the data processing that took place at any given time, have been entered in the register. Customer information may also include care plans and management goals and statements made to authorities or the customer themselves. See more detail on our website www.vastaamo.fi/tietosuoja the leaflet where you can find detailed information in our customer and patient register.
Video sessions are not recorded, so the attacker does not possess any videos of patient sessions, but might have acquired notes from sessions created by therapist.
But there is no doubt that this is a serious privacy and data breach. Vastaamo now says that it is not just patients registered before November 2018 who have been impacted, but there is also some indication that patients registered before the end of March 2019 may have also had their data accessed. [Note: YLE.fi seems to be reporting this as two breaches, and maybe my translation is poor, but I had read it as one incident that involved more data than Vastaamo originally recognized. Reading other sites raises more questions: did the breach occur before the end of November 2018, or was it more recent but just attacked older data? And was there a second breach or attacker or did the first attacker attack again when they realized the value of what they had? There are a lot of questions that need answers.]
This is obviously a developing situation. Vastaamo has not revealed how the threat actor gained access to their system, or why their system security did not detect the intruder’s presence in the system or exfiltration of what appears to be tremendous amounts of data. Did the attacker disable defenses or were the defenses not in place? Patients will likely have a lot of understandable questions as to how this happened, but the immediate concern, of course, is to try to stop the attacker from dumping more data or otherwise misusing it.
This is beyond terrible. Hundreds of lives are at stake.
One requirement of GDPR, while they were at it, should have been that any entity handling more than a hundred personal acts or dossiers of sensitive data, such as health information or legal/fiscal information, is subject to an external review from an information security company or authority yearly. This review could be paid for by the state. Certainly worth it. In its least severe form, in the case of a company with only a few employees handling just over the limit, it could be done as an honest signed self declaration of security practices.
Anyway. Anyone can get hacked, but data leaks of this magnitude, in case they can be proven to have been caused by incompetence or violation of good practices, should not lead to merely economic sanctions. The only reasonable measure is sentencing the CEO and board members to jail time for a year or two. The hacker even longer of course, in case they ever find him/her.
root/root as credentials and open SSH is rumored in this case… I hope it isn’t true, just too much. Sigh.