Saturday. 28.01.2023

15,000 Vastaamo patients report to police being victims of hacking

More and more victims are asking on social networks whether the government has breached its obligation to supervise the psychotherapy center and ensure that their data was secure.


The psychotherapy center Vastaamo, which provides psychological and psychiatric services in Finland, continues to fight against the crisis caused by hackers who have managed to steal the data of 40,000 patients.

Vastaamo is a private center but most of its customers have been referred from the social security services, as the company -which runs about 20 clinics across the country - is a subcontractor for several hospital districts in the country. This has also raised many questions about a possible breach of the duty of supervision.

According to its website, Vastaamo offers psychological and psychiatric treatment to patients who suffer from disorders such as depression and anxiety. 

The police can barely cope these days with the barrage of criminal complaints that are reaching their files. On Wednesday, the National Bureau of Investigation - as the central police investigation office is known in Finland - had received more than 15,000 complaints related to the hack and patient extortion. 

And that was early in the afternoon, according to the newspaper Helsingin Sanomat. Most likely, the numbers are higher as there are delay in posting and they will continue to rise with each passing minute.

The victims have been receiving individual blackmail messages from the extortionists, who demand ransoms of 200-500 euros (in bitcoins) in exchange for erasing their data from files published on the encrypted Tor network.

The Government headed by Prime Minister Sanna Marin dedicated its evening meeting almost entirely to analyzing the case - which the local press already describes as the largest data theft in the country's history - and to debate possible legal changes so that something like that is not repeated as well as possible measures to help the victims.

Government responsibility?

Meanwhile, more and more affected people are asking on social networks about the responsibility of the state, which is ultimately the one who referred patients to Vastaamo. Many victims wonder whether the government has breached its obligation to supervise the company to ensure that their data was secure.

The government has been arguing that it trusted the reliability of the service provider, but according to legal sources consulted by it remains to be clarified whether there was a breach of the duty to supervise the security conditions with which the data were stored by the psychotherapy center.

The investigation has revealed that the system could be accessed by hackers for the first time in November 2018 and the vulnerabilities that allowed the theft of data persisted at least until March 2019. That is five long months in which the confidential data from patients prior to those dates were exposed.

District Court freezes CEO's assets

Last Monday, the psychotherapy center reported the dismissal of its CEO Ville Tapio, precisely for allegedly having hidden from the Board of Directors a previous break-in to the company's system.

That same day, as soon as the information on the behavior of the previous CEO, PTK Midco Oy, the main shareholder of the Vastaamo company, was published, began a legal process related to the acquisition of Vastamo signed in May 2019. The acquisition was made after the alleged breaches of data that were hidden from the managers occurred.

On Tuesday, the Helsinki District Court ordered the confiscation of the assets of Ville Tapio and his parents for a total of 9,667,000 euros.

Police advise not to pay

The offences currently under investigation by the police comprise an aggravated computer break-in, aggravated extortion and aggravated dissemination of information violating personal privacy. However, the criminal title of the offences may change as the investigation progresses

The National Bureau of Investigation has advised the patients not to pay the ransom to the extortionists, as "this will not ensure secrecy of the compromised information." At this point, the police still do not know if the sender of the ransom e-mails and the blackmailer of Vastaamo are one and the same person.

"This hacking operation is exceptional by Finnish standards because of the sensitive nature of the information disseminated online. We currently have several avenues of investigation, and we will make every effort to solve the case," says Head of Investigation, Detective Chief Inspector Marko Lepponen.

The police are correct in that: the information published could not be more sensitive, since it includes the patient's name, personal identification number, telephone number, email address and residence address, together with the content of the therapy sessions.

"This is extremely unfortunate for the victims, and we would like to emphasize that they should by no means blame themselves for becoming victims of the incident," Detective Superintendent Tero Muurman points out.

The criminals have threatened to publish 100 daily patient files if the company does not pay them 450,000 euros in bitcoins.

15,000 Vastaamo patients report to police being victims of hacking