Therapy Patients Blackmailed After Data Breach

Reading Time: 5 minutes

Almost as if from a movie – a number of patients at a large psychotherapy clinic in Finland recently received contact from a blackmailer demanding money or threatening to share what was disclosed in therapy sessions.

Vastaamo is urging clients who have received demands or already exchanged money for silence – allegedly dozens at this time – to immediately contact Finnish police.

“What makes this case exceptional is the contents of the stolen material,”

Marko Leponen, the National Bureau of Investigation’s chief investigator assigned to the case

What Happened?

Finland’s interior minister called the main Cabinet members into an emergency meeting Sunday after receiving word that hundreds if not thousands of patient records were compromised by hackers who are now threatening blackmail and ransoms.

The Vastaamo Psychotherapy center had been the victim of a security breach which included the compromise of several medical records pertaining to current and past patients.

“Shocking and very serious… authorities will provide speedy crisis help to victims”

Finnish Interior Minister Maria Ohisalo

The records compromised included a number of personal identifying information ( PII ) as well as specific notes from therapy sessions.

Vastaamo is a sub-contractor for Findland’s public health system and operates through the country of 5.5 million inhabitants. They have over 20 branches with several thousand clients.

When Did Vastaamo Get Breached?

Following the dismissal of previous CEO Ville Tapio following the breach – it became apparent that the attack was not carried out a day or month ago but rather over 2 years ago.

November 2018 is the rough time frame that authorities have pinpointed as the initial compromise.

While the initial reporting of the issue included details of a breach in 2018, the board advised that an internal probe had determined a second breach had occurred in March of 2019, shortly before the firm was sold.

Ville Tapio’s dismissal was based upon details indicating Tapio was aware of the breaches and of the issues in the psychotherapy providers data security implementation.

Vastaamo’s main owner, PTK Midco, began legal proceedings related to its purchase of Vastaamo in May 2019. PTK Midco is owned by the Helsinki-based private equity firm Intera Partners.

Are The Attackers Doing Anything?

Unfortunately – yes – the attackers are actively pushing data out to the dark web as we speak. For those who have received the blackmail and failed to respond or have attempted to retaliate – their information has been posted publicly.

One such instance is from an individual who spoke with BBC News regarding the issue – Jere.

Jere communicated with the ‘ransom guy’ regarding Vastaamo’s stance on paying Bitcoin and as such his cost to prevent the spread of his data.

  • Vastaamo had refused to pay 40 bitcoin (£403,000)
  • He would now have to pay €200 (£180) in Bitcoin
  • After 24 hours, the ransom would rise to €500 euros
  • After 72, data from sessions he had as a teenager would be published

“I’m anxious about the fact that the attackers are in possession of my notes and conversations from those psychiatrist sessions”

“Those notes contain things I’m not ready to share with the world.

“And having someone threaten me with said notes certainly makes me extremely uncomfortable.”

Jere – BBC News

Jere stated that his therapist had written notes in a physical notebook. He was never informed that the notes would then be uploaded to a server.

What is Vastaamo Doing About The Breach?

Shortly after the 2019 cyber attack, Vastaamo went through the process of increasing their security posture. Even during this increase in defense, the current board nor the principal owner were made aware of the March 2019 breach or the already identified security weaknesses.

Following the attack, in April and May of 2019, an outside firm was charged with the task of inspecting the IT systems in connection with the acquisition. the probe found a number of areas that could use improvement although no critical data security shortfalls were found.

When the firm, Nixm, was hired to inspect and upgrade Vastaamo’s infrastructure they reported that they could not find any indication of breach after March 2019.

Vastaamo reports that Nixu has made much progress and shared information with the National Bureau of Investigation ( NBI ) and the Finnish Transport and Communications Agency ( Traficom ).

Victim Support Finland, backed by the Ministry of Justice, provides guidance in English for those who suspect that their data may have been comprised in the Vastaamo breaches. More information at this link.

Vastaamo has set up a helpline and is offering all victims one free therapy session, the details of which will not be recorded.


Your Digital Mind has not been able to reach Tapio or NBI for comment.

Leave a Reply

Your email address will not be published. Required fields are marked *