EXTORTION

Vastaamo fires CEO for hiding another data breach in March 2019

The company says it seems "obvious" that he was aware of the company's vulnerabilities, but still did not inform the Board of Directors.

Vastaamo psychotherapy center, the Finnish company blackmailed by hackers who have stolen confidential information from thousands of clients, announced on Monday the dismissal of its CEO, Ville Tapio.

As explained by the company in a press release, the reason would be that Tapio hid from the rest of the members of the Board of Directors another infiltration into the company's system that occurred in March 2019.

For the time being, Tuomas Kahri, Chairman of the Board, will be responsible for managing the company's operations.

Based on the ongoing investigations, the company says that "it seems probable" that the data breach which led to the theft of the customer database took place in November 2018. The company's system was subjected to another infiltration in mid-March 2019.

Vastaamo also says it seems "obvious" that, at that point, the company's CEO (Ville Tapio) was aware of the breach and of Vastaamo's security vulnerabilities

"The current Board of Directors and the principal owner of the company (PTK Midco Oy) have not been informed about the March 2019 data breach or about any security deficiencies in the company's systems," the company remarks.

The company also revealed on Sunday that when the extortion began last September, the police advised it not to inform customers.

Extortion

Since Wednesday 21 October, hackers have been extorting the private psychotherapy centre Vastaamo, which also provides services to customers paid by the Finnish Social Security (Kela).

The criminals are demanding 450,000 euros (in bitcoins) for not publishing mental health data of thousands of people (about 40,000, according to the perpetrators).

The hackers have been publishing the data of 100 people every day in the encrypted web Tor. They claim they will not stop until they get the payment.

The data released online could not be more sensitive: it includes names and identification numbers of the patients, phone numbers, emails, residence addresses and the content of the therapy sessions. The blackmailer has already posted sensitive information from hundreds of people.

Requesting credit bans

The criminals have also been contacting individual patients, offering them the ability to erase their data in exchange for 200 to 500 euros in bitcoins.

The police are investigating the case and advise against paying the ransom. Thousands of people are requesting the cancellation of their data from multiple files and requesting also voluntary credit bans, as they fear being victims of identity theft in the future.

The Vastaamo psychotherapy centre runs about 20 clinics across the country. The company provides its services to the Social Security (Kela) and the majority of its patients come from the public hospital districts.