The data breach and digital extortion attack disclosed by Finnish psychotherapy center Vastaamo last month represents a significant escalation in tactics : culprits used stolen data to blackmail not only the facility but also its patients.
Organizations in the health care sector and beyond should be aware of potential copycat attacks, which could result in significant damage to both reputation and bottom line. While this isolated incident alone isn’t expected to damage the mental health profession as a whole, confidence in the industry’s ability to protect private data could fall if additional attacks follow.
That said, for all the potential fallout, experts say the strategy of targeting victim organizations’ customers or patients is highly inefficient and not necessarily all that productive. This crime of opportunity, they say, only makes sense if the exfiltrated information is highly sensitive and the victimized individual has deep pockets.
Attackers adopt an unusual approach
The Vastaamo incident isn’t entirely unprecedented. Last January, it was reported that ransomware attackers infiltrated the Miramar, Florida-based Center for Facial Restoration and tried to individually extort the plastic surgery clinic’s clients. (Ransomware has not specifically been linked to the Vastaamos case.)
Still, the attack against Vastaamo, which serves as a subcontractor for Finland’s public health system, is notable for both its audacity in targeting patients, as well as the sheer size of the potential victim pool – roughly 40,000 people in total.
It’s obviously disappointing and problematic, but I’m not surprised,” added Marcus Christian, a partner in Mayer Brown's Cybersecurity and Data Privacy practice and White Collar Defense and Compliance group. After all, Christian noted, there was already precedent of digital extortionists reaching out to individual employees at organizations and threatening to contact companies’ customers.
In this case, the attackers actually followed through. According to Vastaamo, the intruders accessed the company’s systems between November 2018 and March 2019. The perpetrators attempted to extort three company employees in September, released a limited amount of stolen data publicly on Oct. 21 and then began emailing an unspecified number of customers with blackmail threats beginning on Oct. 24.
The reason attackers don’t often threaten the individual customers of breached companies, said experts, is that it takes a lot of effort, and there are simpler ways to monetize their illicit activities. For that reason alone, it’s possible the Vastaamo incident will remain an anomaly among attacks.
“I don’t see this type of extortion becoming widespread,” said Crane Hassold, senior director of threat research at Agari, and a former analyst with the FBI’s Cyber Behavioral Analysis Center. “The ROI for taking this process a step further and going after an organization’s customers would add a significant amount of work for the cybercriminal.”
Christian agreed that reaching out to hundreds or thousands of individuals “may not be in many ways the most productive [way to] attack a company and get perhaps five, six, seven figures or more” in a payout.
On the other hand, the notion that attackers might go after a company’s individual customers, clients or patients – causing an immense PR nightmare and possible loss of business – could convince victimized companies to pay up.
For that reason, “attempting to blackmail the individuals to which exfiltrated data relates could well be a natural evolution in cyberextortion cases and become increasingly commonplace,” suggested Brett Callow, threat analyst at Emsisoft. “The objective may not be to actually obtain money from the individuals, but rather to increase pressure on future victims to pay.”
The fact that information may be maliciously used in this way is likely to concern organizations far more than the information simply being published on an obscure Tor site with a URL that is only known by a few, Callow added. “And, of course, organizations may also fear that it will increase the likelihood of legal action being taken against them.”
Christian agreed that attackers are always trying to “increase the penalty of the consequences for the victim company if they don’t pay the ransom.” And to attack vulnerable patients with their confidential mental health information is a perfect avenue to do that. “It’s unconscionable, but based on what some of these actors have been threatening, it's something that was foreseeable,” he stated, noting that as of several months ago he saw early signs of cybercriminals targeting individual customers.
“There's been a lot of development this year where groups are becoming more brazen… They believe that they can commit these crimes with impunity,” said Christian.
And it’s not just stolen medical records that make for good blackmail material. “Confidential legal documents or academic records could be attractive targets for cybercriminals” seeking to extort victims on an individual level, said Hassold.
Moreover, an attack like the one launched against Vastaamo customers makes even more business sense if the victims themselves actually have deep pockets, the experts noted. “Think of professional services firms with celebrity clients,” said Christopher Ballod, an associate managing director in the cyber risk practice of Kroll, a division of Duff & Phelps.
Indeed, it’s curious that the ransomware group that attacked Grubman, Shire, Meiselas & Sacks earlier this year didn’t try to extort the entertainment law firm’s celebrity clients as opposed to demanding the firm shell out millions of dollars. (Or if they did, it wasn’t publicly reported.)
"These are trust industries: the law, financial services, especially mental health care," said Ballod. “It almost goes without saying that brand damage… in one of those sectors in the event of a breach is potentially severe,” so the prospect of contacting affected clients directly might be enough incentive for an organization to pay up.
Breaches can damage a brand, but what about an industry?
Experts are split on whether the damage from a breach that targets customers could impact an industry at large, versus just the victim organization.
From Ballod's perspective, people will feel compelled to still seek out the services they need.
“You probably will have individuals who are scarred, who are affected by it, who wouldn’t want to go back [to therapy], but the truth is, if you need the help that services like that provide, it's hard to imagine a data breach by one service is going to chill you from seeking that service elsewhere,” said Ballod. He noted that breaches happen everywhere, so much so that the public often becomes indifferent due to “breach fatigue.”
The same rule applies to lawyers, accountants and similar professional services providers. Customers might demand specifics about how their information is protected, but odds are low that they would simply stay away.
Ballod did add this one caveat: “If you see an entire industry hit all at once, repeatedly,” then all bets are off and prospective patients might lose faith.
Christian, however, was more open to the idea that even one breach could have a negative psychological impact on the public.
“If someone reads about this in the paper or sees it online, they're not just thinking about what happened... They're also thinking about their provider,” said Christian, who likened the scenario to the decision by some individuals to refuse urgently needed medical attention out of fear they might contract COVID-19 at a hospital or doctor's facility.
“Someone who has mental health issues may perceive the potential cost of going to seek treatment to be too high in terms of the potential impact of their privacy,” he said.
Deborah Baker, director of legal and regulatory policy at the American Psychological Association (APA) – the largest scientific and professional organization of psychologists in the US – does not believe the Vastaamo incident will deter patients from seeking treatment. “Reports of massive data breaches affecting tech companies, health systems, and now this particular Finnish mental health practice, where an individual's sensitive information might be at risk, are not new, and we have not seen evidence that this risk dissuades people from seeking needed mental health care,” she said.
Nevertheless, SC Media asked the APA how mental health professionals and their respective oragnizations can inspire more confidence that they are responsibly handling patient data.
“Data protection laws like GDPR in Europe and HIPAA in the US help safeguard personal health data, and that should provide some comfort to the public,” said Baker. “Unfortunately, complying with these data privacy requirements cannot reduce the risk of a possible data breach to zero. However, such laws significantly reduce risks and, in the event of a breach, clearly outline the responsibilities of the party suffering the breach to notify those affected.”
“So it boils down to whether a provider is adequately complying with the relevant data privacy requirements for his/her jurisdiction and how that provider communicates that information with patients,” Baker continued.
Baker also said that patients who are especially concerned about sharing certain private information can ask their mental health professional if they can “document sensitive parts of the record on paper.”
While there are thousands of professionals who could likely accommodate such a request, Baker did note that some larger systems have moved entirely to electronic health records.
“The trend is to move towards electronic files, not paper," said Baker. "With the pandemic, many providers had to transition to providing care via telehealth. And that can include providing care from somewhere other than the psychologist's office, and if the psychologist maintains only paper files, it would be difficult to provide care from anywhere other than one's office,” Baker explained.
But even health care entities that have gone primarily digital can take action to prevent being the next Vastaamo, which fired its managing director last week for allegedly suppressing breach details and neglecting information security deficiencies that resulted in two separate data system breaches.
Ballod said organizations could potentially inspire more consumer confidence if they are transparent in revealing the steps they are taking to secure data and if they can demonstrate compliance with privacy laws both inside and outside their own jurisdiction.
"Now's the time to step it up and take those proactive measures: to conduct assessments, to understand that they need to have multi-factor authentication where appropriate," said Christian. "They need to have systems and software updated. They need to install patches at the appropriate time when vulnerabilities are publicized... And they need to create cultures where people within their organizations are going to be aware of the issues. They're going to be trained up and so they're less likely to be victims of phishing attempts and the like."
"They're not going to bring the risk to zero, but they can bring the risk down significantly."