Finnish Data Theft and Extortion
The Finnish psychotherapy clinic Vastaamo was the victim of a data breach and theft. The criminals tried extorting money from the clinic. When that failed, they started extorting money from the patients:
Neither the company nor Finnish investigators have released many details about the nature of the breach, but reports say the attackers initially sought a payment of about 450,000 euros to protect about 40,000 patient records. The company reportedly did not pay up. Given the scale of the attack and the sensitive nature of the stolen data, the case has become a national story in Finland. Globally, attacks on health care organizations have escalated as cybercriminals look for higher-value targets.
[…]
Vastaamo said customers and employees had “personally been victims of extortion” in the case. Reports say that on Oct. 21 and Oct. 22, the cybercriminals began posting batches of about 100 patient records on the dark web and allowing people to pay about 500 euros to have their information taken down.
Kurt Seifried • December 10, 2020 2:02 PM
This is interesting.
From a client perspective the problem is showing damages, yes it is embarrassing, but you’re not actually out any money with respect to this and the clinic. I would assume Finland has some laws around medical data storage and security, but that clearly isn’t going to help here (horse, barn door, etc.). They clearly won’t always work, people make errors, don’t spend on information security like they should, an APT will always win in the long run, etc.
We’re also not hearing any mention of integrity of the data, I’d be concerned about my records being publicized, but I’d be more concerned about them being altered in ways that could seriously result in harm or death, e.g. an allergy to a medication is removed from the record, or a dosage is changed… Do we know that all this data the attackers got hold of is still in good shape on the clinics end?