Finnish Data Theft and Extortion

The Finnish psychotherapy clinic Vastaamo was the victim of a data breach and theft. The criminals tried extorting money from the clinic. When that failed, they started extorting money from the patients:

Neither the company nor Finnish investigators have released many details about the nature of the breach, but reports say the attackers initially sought a payment of about 450,000 euros to protect about 40,000 patient records. The company reportedly did not pay up. Given the scale of the attack and the sensitive nature of the stolen data, the case has become a national story in Finland. Globally, attacks on health care organizations have escalated as cybercriminals look for higher-value targets.

[…]

Vastaamo said customers and employees had “personally been victims of extortion” in the case. Reports say that on Oct. 21 and Oct. 22, the cybercriminals began posting batches of about 100 patient records on the dark web and allowing people to pay about 500 euros to have their information taken down.

Tags: , , , , , ,

Posted on December 10, 2020 at 1:48 PM12 Comments

Comments

Kurt Seifried December 10, 2020 2:02 PM

This is interesting.

  • Does the clinic have a duty to pay for the data to be kept private once it is stolen?
  • Would this even be legal (the clinic is now participating in a crime potentially)?
  • Would this even work (e.g. the clinic paid, cool, now let’s try extorting the individuals!)?

From a client perspective the problem is showing damages, yes it is embarrassing, but you’re not actually out any money with respect to this and the clinic. I would assume Finland has some laws around medical data storage and security, but that clearly isn’t going to help here (horse, barn door, etc.). They clearly won’t always work, people make errors, don’t spend on information security like they should, an APT will always win in the long run, etc.

We’re also not hearing any mention of integrity of the data, I’d be concerned about my records being publicized, but I’d be more concerned about them being altered in ways that could seriously result in harm or death, e.g. an allergy to a medication is removed from the record, or a dosage is changed… Do we know that all this data the attackers got hold of is still in good shape on the clinics end?

Matt December 10, 2020 4:46 PM

@Kurt “From a client perspective the problem is showing damages, yes it is embarrassing, but you’re not actually out any money with respect to this and the clinic…”
It’s more than “embarrassing” for clients. The stolen data includes
“Written appointment notes, i.e. patient reports”. That can be their deepest pain, their darkest most crushing shame, the things that took great courage to say to a trusted professional in a therapeutic setting. That’s horrifying stuff to have made public, or even to be in the hands of people who might misuse it in any way.

I can’t imagine how distressing this is for clients. Who were already struggling emotionally, which is why they were going to a therapist. I suppose they could get therapy for that distress, if they can ever trust a therapist again because hey, who knows if what they say next will be stolen and misused.

“Embarrassing” my ass.

maqp December 10, 2020 4:49 PM

@ Bruce

I’ve been following the case quite closely. From what I’ve gathered, the complexity of the attack was along the lines of connecting to database.vastaamo.fi / myphpadmin.vastaamo.fi and using the username and password “root”: Here’s as screenshot from an Onion-site where the asshole bragged about how easy it was https://pbs.twimg.com/media/ElLhC6gX0AAQQT5?format=jpg&name=medium

The reason the security sucked so bad was because the code was written by the CEO, Ville Tapio, himself. Tapio takes pride in being a self-taught programmer.

Vastaamo was a family business. The family sold 70% of their stock to Intera Partners in Q2 of 2019, fully aware of the fact Vastaamo had been breached earlier, in March. Vastaamo had actually been breached the first time in October 2018, and a second time in November the same year. So they had been compromised thrice, and it took more than 18 moths before the public knew.

Tapio has since been fired, and property worth almost 10 million euros has been confiscated.

You wrote that data is a toxic asset and I couldn’t agree more. I’ve watched in horror when tons of private data is being uploaded to national databases such as My Kanta https://www.kanta.fi/en/my-kanta-pages

My Kanta is one zero-day away from compromising 5,5 million citizens’ data. In the US digital services don’t work too well because data is either fragmented in small state-wide databases, or siloed in massive corporate databases. My Kanta is a bit different, it works really well, because the data of every Finnish citizen is stored there, no exceptions. Every Finn is issued a social security number at birth and thus everyone has a database entry.

From what I’ve discussed with peers, luckily each log entry — especially when it comes to mental health treatment — is now written together with patients, so thankfully everyone has a say in what goes in there.

Clive Robinson December 10, 2020 4:58 PM

@ Kurt Seifried,

… an APT will always win in the long run, etc.

No they won’t, if you take the correct mitigation[1].

Which is why the first question you should have been asking is,

“With the recognized risk of being connected to any public or private communications network” and “the recognized high confidentiality of the records and duty of care to the patients confidentiality, why was the clinic connected to a publicly accessible network?

[1] One of the first things I ask when I’m on site is “Why is this computer connected to the internet?” Normally I do not get a valid response. In most places the penny does not seem to have dropped. The Internet is hostile ground, few if any employees have legitimate need of the internet as part of their job. Even when they do need Internet access generally the access can be significantly reduced to a base minimum of restricted IP addrrsses… For most, Internet access is entirely unnecessary and they should not be given it for securiry reasons.

klubb0 December 11, 2020 5:58 AM

Under the EU data protection laws conduct of the Vastaamo is punishable. Also apparently the owners failed to disclose the breach while selling majority of the company to a VC fund. Criminal investigation is going on, assets of the owner family partially frozen, and the Finnish parliament is discussing legislative changes easing the change of affected customers’ social security ids, and for mandatory security audits for patient information systems. In short in a small country such as Finland this happening was huge, and will have ramifications for years to come.

maqp December 11, 2020 8:06 AM

@Clive Robinson

“why was the clinic connected to a publicly accessible network?”

Great question. Especially considering there’s a company called Suomen Erillisverkot (that roughly translates as “Isolated Networks of Finland”) https://www.erillisverkot.fi/en/

AFAIK the company provides physically isolated network for LEA/military/intelligence agencies, critical infrastructure etc. It should be obvious all health data of the citizens is also stored there. Vastaamo etc. now use the My Kanta database. If the strategy is going to be all-eggs-in-one-basket, that basket absolutely needs to be isolated from the public network, as soon as possible.

maqp December 11, 2020 8:16 AM

@ klubb0

One big change that’s also happening is the social security ID is becoming just a unique identifier, that is, it’s not longer going to be possible to authenticate to e.g. payday loans by just knowing the social security ID, name, and address.

One interesting aspect is majority of Finnish e-services use something called Suomi.fi e-Identification, basically you can either use your ID card (that’s a smart card) to authenticate, or you can use your online bank credentials (usually in the form of password + 2FA, the 2FA being a phone app, or a 2FA token, both of which require PIN for automatic or semi-automatic challenge-response). This makes identity theft very hard and even harder in the future. More information here https://developer.signicat.com/id-methods/suomi-fi-e-identification/

Cassandra December 11, 2020 8:21 AM

@Clive Robinson

I could not agree more about the lack of need to connect everything to the Internet.

Similarly, it is helpful to have siloed data, which is what the UK by-and-large used to have, with National Health data, Driving Licence data, Tax Data, National Insurance Data, Electoral Rolls all kept in separate incompatible systems. Annoying at times, but making it rather hard to steal all of somebody’s information in one fell swoop. Thankfully, a few people saw through the confluence of a National ID card and a National Database that would connect everything up. A government issued ID card would not be so bad, but a single government database would be terrible – but very, very convenient.

Anyway, back to Internet connectivity. There is an argument for networks to be segregated so that people can access the Internet for their private business on company time, but for business systems to be ruthlessly air-gapped (energy-gapped).

Unfortunately, the availability of permanent Internet access for providing web-based services has meant that many designers assume ubiquitous real-time connectivity, with all the security issues that brings. It is, again, very convenient for many purposes. Convenience trumps security. Again. I can only see things improving if lack of security inconveniences people with power more than implementing security would. We are not at that level of chaos yet.

As for the Finnish patient data, I hope details of how the data-theft occurred come out, and whether it was a ‘clever and subtle’ theft, or just an easy copy of unsecured and unencrypted data. There are techniques for securing patient information that should have been used, and I would be interested to know if they had been used and worked around, or whether it is ‘just’ simple negligence.

Cassandra

Clive Robinson December 11, 2020 10:00 AM

@ maqp, Cassandra,

Vastaamo etc. now use the My Kanta database. If the strategy is going to be all-eggs-in-one-basket, that basket absolutely needs to be isolated from the public network, as soon as possible.

But it probably will not be or done so ineffectively that it is the equivalent failing.

Back when the UK NHS were connecting Drs up on line, there was supposedly “strong encryption” in use. The algorithm was supppsadly from GCHQ and called “Rambutan”[1],

https://en.m.wikipedia.org/wiki/Rambutan_(cryptography)

Well the problem was that being custom chips, that were mounted on likewise custom boards for PC’s not a software solution there were “Roll out issues” that resulted in things not working the way they should…

I’ve been told that in order to meet deadlines some Drs surgeries were “connected but not encrypted”…

Suggesting that patient confidentiality was of very low priority. Something that has been repeatedly confirmed with the current UK political encumbrants just selling patient data without any real attempt at even superficial anonymisation. The most current we know of was the contracting of Palantir a preditory US data aggregator that was apparently also involved with Cambridge Analytica amongst others, with no over sight of any kind and in breach of EU Data Protection Legislation…

Mind you the current UK political encumbrants have also “given” data from UK Citizen Medical files to “Ipsos MORI”[2] who are most certainly not an organisation I would want having my details in any way at any time. Whilst I was aware they were a “Market Research” company, I found out nearly a decade ago that they were “branching out” into data surveillance capitalism. Put simply they were approaching organisations with large databases such as mobile phone companies and then offering to become “value added” data brokers to the likes of the Metropolitan Police, which is much the same as US based Palantir does currently.

You would think that for obvious reasons such organisations can not in anyway be trusted with peoples PPI, from basic details all the way through medical file data etc.

But… The UK Gov under direction from above gave both Palantir and Ipsos MORI quite a few quite lucrative contracts which involved handing over peoples PPI…

[1] Yes the same as the hairy fruit with soft entangled thorns like a bad hair day that appeares to be hard to crack it’s leathery surface but was very soft and yielding when you got in. Which made one or to security practitions at the time suggest the same might well be true of the cipher it’s self…

[2] https://en.m.wikipedia.org/wiki/Ipsos_MORI

Lerssi Larsson December 11, 2020 10:38 AM

@Lerssi Larsson

You stupid Finn! It goes “Does anybody have one?” Thank you for the correction. 😉

Peter A. December 14, 2020 4:02 AM

It’s not only medical services companies being careless or incompetent in information security. Sadly, governments all over the world legislate mandatory health information databases and systems. In many places it is no longer possible to use public health service without detailed data about your visit stored in a mandatory government system. Worse, it is often not possible to use a fully-paid private, individual service (i.e. a doctor having a private practice as opposed to working for some big medical services company) without some data being stored in a governmental database, such as your prescription.

Privacy-wise, we’re left with herbal and non-scientific treatments, or the black prescription drugs market, or… I’ve already seen a small rise in a tendency to use veterinary-grade medicaments, which was always regarded as oddball, to say it mildly, or a really poor man’s choice. These preparations for animals are often the same active substances that are used in human’s treatment, but in different package/dosage/brand – and often much cheaper if you have to pay the full price (like when not having public “health insurance”) – and sales records are not tied to your national ID number… yet.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.