Psychotherapy Centre Vastaamo says a cybercriminal is trying to blackmail it into paying 450,000 euros after allegedly obtaining sensitive information on tens of thousands of its clients. (Markku Ulander – Lehtikuva)


THE NATIONAL BUREAU of Investigation (KRP) has opened an inquiry into a case where an unknown attacker claims to have obtained sensitive information on tens of thousands of psychotherapy clients in Finland.

The data was allegedly obtained from Psychotherapy Centre Vastaamo. The Helsinki-based service provider has confirmed on its website that the breach has led to the leak of confidential information.

KRP on Thursday stated that the attack is being investigated as aggravated computer break-in and aggravated dissemination of information violating personal privacy.

“For as long as the pre-trial investigation is ongoing, the police cannot cast further light on the content of the investigation. We ask people who notice that information violating their personal privacy has been disseminated to file an electronic request for inquiry into the matter,” said Marko Leponen, the detective chief inspector in charge of the inquiry at KRP.

Tuomas Kahri, the board chairperson at Vastaamo, said the unknown hostile party is trying to blackmail the service provider. He added that the service provider has no knowledge of how many of its tens of thousands of clients are affected by the breach, declining to comment also on whether the breach affects all of the clients or only those in a particular locality.

The attacker has published their demands online, saying they will publish the details of 100 people every day until a ransom of 450,000 euros has been paid, wrote Helsingin Sanomat.

YLE on Thursday reported that the data leaked by the blackmailer consists of patient records that include extremely sensitive information about the private lives of the clients. The data also divulge personal information, such as the addresses, and social security numbers of clients.

F-Secure’s Erka Koivunen stated to Helsingin Sanomat that the breach is regrettable particularly because of the harm it causes to ordinary people.

“The industry itself has to take a look in the mirror,” urging service providers to re-consider whether it is advisable to store confidential information in a way that it can be obtained from a database or data server as scans or transcripts.

The issue, he acknowledged, is a challenge for the data governance units of all organisations.

“Quite a few data governance units have effectively had no choice but to raise their hands and give up. If the goal is to make sure the information is always available to therapists without delay, protecting security is what has to make way first,” he said to the newspaper.

Aleksi Teivainen – HT