The confidential records of thousands of psychotherapy patients in Finland have been hacked and some are now facing the threat of blackmail.
Attackers were able to steal records related to therapy sessions, as well as patients’ personal information including social security numbers and addresses, according to Vastaamo, the country’s largest private psychotherapy center. The stolen records do not spell out specific discussions with patients, but they do include care plans and narrower professional entries.
Authorities are working to track down patients who received emails threatening to disclose personal information unless the recipient pays the blackmailer. Some of the records have already leaked online.
Finnish police are working with other agencies to investigate the data breach that targeted Vastaamo, which treats roughly 40,000 patients across the country. Police believe the number of affected patients could rise to the tens of thousands.
“We are grateful for how various actors in society have helped the police,” said Marko Leponen, a detective inspector at Finland’s National Bureau of Investigation. “It is particularly great that citizens are urging all not to share this material on social media. Sharing such information fulfills the essential elements of an offence,” he added.
Some of the victims have received emails demanding payments in bitcoin to prevent the public disclosure of their personal information, which authorities are discouraging victims from doing. Instead, agencies are asking those patients to save extortion emails and other possible evidence they may have received and file a police report. Police have also discouraged people from paying the hackers, saying it will not ensure their data remains private.
Finland’s leaders have expressed dismay at the breach and said the victims need immediate support.
“This data breach is shocking in many ways,” Finland’s Prime Minister, Sanna Marin, said on Twitter Saturday. “Victims now need support and help. Ministries are exploring ways to help victims. Action by municipalities and organizations are also needed.”
The country’s president Sauli Niinistö told Yle News on Sunday that the breach was “relentlessly cruel.”
“We all have our inner personality that we want to protect. Now it has been violated,” he said.
Vastaamo said it has started an internal inquiry into the matter and admitted on its website Monday that its patient database was first accessed by hackers back in November 2018. The company said security flaws continued to persist until March 2019. The company also announced Monday it had fired its CEO, Ville Tapio, after it was discovered he concealed a breach from the company’s board and parent company.
Tapio said he did not know about the initial data breach back in November 2018, in a statement released Monday evening on his Facebook page.
Finland’s transport and communications agency, Traficom, said on Monday it has worked with other public authorities to set up a website to help the victims.
“In this concerning situation, the need arose to make up-to-date information available in a single place,” Traficom director-general Kirsi Karlamaa said. “We hope that the site is useful to them in this difficult situation.”
CNN’s Sharif Paget contributed to this report from Atlanta.