News Insights: Finland shocked by therapy center hacking, client blackmail

News over the weekend that the country of Finland has been shocked by therapy center hacking and client blackmail. Finland’s interior minister summoned key Cabinet members into an emergency meeting Sunday after hundreds — and possibly thousands — of patient records at a Finnish psychotherapy center were accessed by a hacker or hackers now demanding ransoms.

News Insights:

Warren Poschman, senior solutions architect with comforte AG:

“The breach at Finland’s Vastaamo psychotherapy centers is a precise proof of how data-centric security is of top importance any why a breach is never really over when personal details are stolen.  If the data had been secured properly using technologies such as tokenization or format-preserving encryption then the sensitive details would still be secure and worthless as an instrument of blackmail or identity theft.  The reliance on firewalls, strong authentication, and passive database encryption to protect data is simply not enough – the data itself must be protected to ensure that when attackers gain access, customer and patient data will remain secure and privacy upheld.  Data-centric security offers the ability to protect data in both a system and database agnostic way that allows organizations to ensure compliance and security no matter who has access to data or where it is shared.”

Brian Higgins, security specialist with Comparitech:

“This is an appalling attack on some incredibly vulnerable individuals and it beggars belief that, whilst the data may have been stolen as long ago as 2018 with Vastaamo allegedly refusing to pay ransoms to prevent its release, none of the potential victims appear to have been made aware of any existing threat until they were contacted by the criminals themselves. The moral bankruptcy of a perpetrator who is willing to extort money by threatening to release highly personal information from confidential therapy sessions is both disgraceful and disturbing in the extreme and I’m not sure how the offer of a further session, free of charge or not, is supposed to help those currently under attack by ‘the ransom guy’. This incident offers a sober lesson indeed that it is so very important to understand how your personal information will be used, stored and retained by any and all organizations you choose to share it with. The Finnish authorities are right to call this situation ‘exceptional’ and one can only hope Vastaamo will be suitably called to account once the full circumstances are established.”