Finnish psychotherapy center Vastaamo, which was blackmailed after experiencing a ransomware data breach, fired its CEO Ville Tapio for holding back information on the hack for close to 18 months.
Based on investigations into the incident, it seems probable that the data breach that led to the theft of the customer database took place in November 2018, according to the English translation of a press release issued by Vastaamo. The attackers were also able to infiltrate until mid-March 2019.
Vastaamo said it does not know that the database was stolen after November 2018, but it’s possible that individual patient data has been viewed or copied.
However, published reports said that highly-sensitive data about thousands of patients had been stolen form Vastaamo’s databases. Vastaamo treats about 40,000 patients and operates as a subcontractor to several large public sector hospitals.
“This is an appalling attack on some incredibly vulnerable individuals and it beggars belief that while the data may have been stolen as long ago as 2018 with Vastaamo allegedly refusing to pay ransoms to prevent its release, none of the potential victims appear to have been made aware of any existing threat until they were contacted by the criminals themselves,” said Brian Higgins, security specialist with Comparitech. “The moral bankruptcy of a perpetrator who is willing to extort money by threatening to release highly personal information from confidential therapy sessions is both disgraceful and disturbing in the extreme and I’m not sure how the offer of a further session, free of charge or not, is supposed to help those currently under attack by ‘the ransom guy.’”
Dan Piazza, technical product manager for Stealthbits Technology, said it’s clear many attackers have no shame and there's no ethical boundary they’re not willing to cross to make money. He added that while so far, the attacker reportedly has only leaked 300 patient records, it's unclear how much more sensitive data they hold.