Private psychotherapy notes leaked in major Finnish hack
Distressed psychotherapy patients were flooding mental health charities Monday, as Finnish police revealed over the weekend that the treatment records of tens of thousands of people had been hacked, and some leaked online.
Ministers announced a crisis meeting for this week over the unprecedented data breach.
Police said Sunday that “thousands” of patients of the private company Vastaamo, which runs 25 psychotherapy centres across Finland, had filed criminal reports after hackers accessed the firm’s confidential patient records.
Many patients reported receiving emails with a demand for 200 euros ($236) in bitcoin to prevent the contents of their discussions with therapists being made public.
“We are investigating an aggravated security breach and aggravated extortion, among other charges,” director of Finland’s National Bureau of Investigation Robin Lardot told a news conference.
Lardot added that they believed the number of patients whose records had been compromised numbered in the tens of thousands.
Vastaamo said on Sunday it was “extremely sorry” for the breach, as security experts told newspaper Helsingin Sanomat that a 10-gigabyte data file containing private notes between at least 2,000 patients and their therapists had appeared on websites on the so-called dark web.
The leak has caused widespread shock in the Nordic country of 5.5 million, with ministers gathering on Sunday to discuss how to support the patients whose sensitive data had been leaked.
“It is absolutely clear that people are justifiably worried not only about their own security and health but that of their close ones too,” Interior Minister Maria Ohisalo told reporters late on Sunday.
Mental health and victim support charities reported being overwhelmed with calls from distressed people fearing that their intimate conversations with their therapists would be publicly released.
“This is a very sad case for the victims, some of which are underage. The attacker has no shame,” Mikko Hypponen of data security firm F-Secure said on Twitter, adding that the perpetrator was using the alias “ransom_man”.
Hypponen said that so far about notes from about 300 patients had been made public on a website controlled by the hacker.
Hypponen, an internationally renowned data security specialist, called the breach “highly unusual” and said he was only aware of one other patient blackmail case, where a facial restoration clinic in Florida had a smaller amount of data stolen in 2019.
Finland’s social care regulator has ordered Vastaamo to submit details of the firm’s data breach practices and of how it has carried out its responsibilities, the interior minister said.