Security Breach in Finland Leads to Psychiatric Patient Blackmail

Deborah Brauser

Disclosures

October 27, 2020

Hackers have accessed patient records at Finland's largest private psychotherapy system, emailing some patients to pay up or face having their private medical records released online.

Vastaamo treats about 40,000 patients and runs 25 centers across the country. Hackers emailed some of the centers' patients asking for a blackmail payment of 200 euro in bitcoin, The Guardian reports.

Agencies such as the country's National Bureau of Investigation are urging victims not to comply with the blackmailers' demand and instead requesting that patients report these incidents to authorities and turn over incriminating emails. However, some data from patient records have already been released online.

"We deeply regret what happened and on behalf of our [patients] who have been compromised, we apologize for the shortcoming in data security, the consequences and human cost of which have been extremely heavy," the center said in a statement. They added that the investigation into the situation is ongoing.

"Sobering Reminder"

Commenting on the news for Medscape Medical News, John Torous, MD, director of digital psychiatry at Beth Israel Deaconess Medical Center, Boston, Massachusetts, said this is "a sobering reminder that any digital data is subject to hacking."

Torous is also chair of the American Psychiatric Association's Health and Technology Committee.

"This is not the first time psychotherapy notes have been targeted and it actually happened, on a smaller scale, in the US in 2017," he said.

In April of that year, confidential patient record information from a mental health center in Maine, including evaluations, session notes, and names of sex-abuse victims, was listed on the dark web.

Also in April, computer hackers released the WannaCry virus into the operating system of the UK's National Health Service, which subsequently locked clinicians out of patient records and other digital tools for 3 days.

In addition, in 2016 hackers took Hollywood Presbyterian Medical Center in Los Angeles, California, offline for more than a week after demanding a ransom of $3.6 million.

Criminal Investigation

For Vastaamo, three of its employees were approached by the blackmailer via email at the end of September, the company reports. These incidents were immediately disclosed and the Central Criminal Police launched a criminal investigation.

In addition, several agencies were contacted, including the Finnish Cyber Security Center, the Data Protection Commission, and a cyber security company.

Investigators believe the breach, which led to the customer database theft, occurred back in November 2018. In addition, security "deficiencies" remained until March 2019.

"We do not know that the database was stolen after November 2018, but it is possible that individual data [have been] viewed or copied," Vastaamo said in a press release. No additional "vulnerabilities were identified after March 2019."

The center's CEO, Ville Tapio, who did not disclose any of these incidents to the parent company and its board of directors, was subsequently fired.

Once the police investigation began, Vastaamo said it was not granted permission by the authorities to communicate the occurrence to its patients. However, after the blackmailer released some patient information online early on October 21, permission to inform patients was granted.

The company noted that the blackmailer has started emailing victims, informing of the data breach, and demanding ransom. So far, the emails have not contained harmful digital content or "malware," but authorities warn that any attachments should not be opened. The police have requested that such emails be kept so they can be used as evidence.

In a Q&A section on its website, Vastaamo noted that videos are never recorded during its centers' telehealth sessions and patients should not be concerned about the possibility of leaked videos.

In addition, the cybercrime has not interrupted Vastaamo's operations.

"The authorities and the response office will do their utmost to find out what happened, to prevent the dissemination of information, and to bring the perpetrators to justice," the center said.

"The most important task...is to support customers in the midst of an exceptionally serious and difficult situation," it added.

"Worst-Case Scenario"

Commenting for Medscape Medical News, Ipsit Vahia, MD, medical director at the Institute for Technology and Psychiatry at McLean Hospital, Belmont, Massachusetts, said Vastaamo's data breach "represents the worst-case scenario for digital health."

He added that more information is needed about the specifics of the case, including exactly what happened, how the system was hacked, and what information was compromised.

Still, "it raises fundamental questions that healthcare systems, clinicians, and patients everywhere should be asking about what measures are in place to protect electronic medical records and other personal digital information," said Vahia.

"This incident also serves as another reminder that the issue of data security and privacy is foundational to digital mental health. Ultimately, without a commitment from all stakeholders to maintaining the strictest levels of security, as well as transparency around how data are handled there will be little to no trust from clinicians or patients," he said. All of that could prevent digital healthcare from achieving its full potential, he added.

In addition, Vahia noted that the rapid uptick of telemedicine because of the pandemic has accelerated the use of other forms of digital information in mental healthcare.

"This unfortunate incident should serve as a wake-up call and bring the issue of data protection back firmly into the spotlight," said Vahia.

Now that telehealth has become a larger part of clinical practice, said Torous, it's important for clinicians to be vigilant regarding security procedures.

"Telehealth and digital data are here to stay, and with them new benefits as well as risks. We can continue to work to minimize the risks and protect privacy while ensuring the benefits to patients expand," he added.

If you, or your institution, have had a similar experience with hacking and would like to share your experience, please contact dbrauser@medscape.net.

For more Medscape Psychiatry news, join us on Facebook and Twitter.

Comments

3090D553-9492-4563-8681-AD288FA52ACE
Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as:

processing....