adimas - Fotolia

25,000 criminal reports: Vastaamo breach sets new precedent

The recent data breach at the Vastaamo Psychotherapy Centre in Finland shows threat actors are willing to threaten and extort patients directly, setting a dangerous new precedent.

Threat actors behind the Vastaamo Psychotherapy Centre data breach have taken extortion to another level.

Vastaamo, the largest private psychotherapy provider in Finland, revealed last month that it had suffered a data breach in which confidential patient records were stolen. After attempting to extort the organization, which has at least 25 locations and approximately 400 psychotherapists, attackers demanded ransoms from the patients themselves. While those demands were made recently, the Finnish police say the initial breach, which impacted tens of thousands of patients' records, occurred in 2018.

According to a press release Monday, Finland police said victims of the data breach have currently submitted around 25,000 criminal reports. Tero Muurman, detective superintendent with The National Bureau of Investigation (NBI) in Finland, also confirmed in an email to SearchSecurity that victims of the data breach have received blackmail emails directly from threat actors.

It is unclear why attackers waited two years to cash in on the breach; in a release Oct. 27 Finland police said they "do not know whether the sender of the ransom e-mails and the blackmailer of Vastaamo are one and the same person."

While the breach was reported to police in late September, Vastaamo posted a data breach notification on Oct. 21 stating threat actors had accessed confidential patient data and attempted to extort the psychotherapy center.

"An unknown hostile party has contacted Vastaamo and claimed to have gained possession of confidential information of the company's customers," the statement said. "Some of our customers' confidential information relating to the period prior to the end of November 2018 has been leaked as a result of the break-in. Our system has likely also been accessed between the end of November 2018 and March 2019. According to our knowledge, the database has not been stolen in connection with this, but it is regardless possible that some individual pieces of data have been accessed or copied until March 2019."

Malwarebytes researcher Pieter Arntz said there has been further speculation as to whether the original hack in 2018 and the recent extortion attempts were done by the same people or not.

"A possible explanation would have been an initial hack by a grey-hat to test the defense of the institute. When it turned out the hole was not plugged after proper disclosure somebody may have learned about it and taken advantage of the fact," he said in an email to SearchSecurity. "All speculation, but as long as the guilty parties are unknown, we'll never know for sure. Especially when there is reason to suspect a cover-up where forensic evidence may have been destroyed."

The CyberPeace Institute, a nonprofit launched last year by organizations such as Microsoft and MasterCard, said it's not abnormal for an incident to occur with a considerable delay from the initial intrusion or compromise.

"However, the incident does come at a time, in which threat actors have increasingly begun to leak medical data to extort a ransom payment. Thus, the perpetrator(s) may have taken inspiration from this trend in digital extortion tactics," the institute said in a statement to SearchSecurity.

In those cases, usually the organization would have been the target of extortion and contacted about a large ransom amount, Arntz said.

"It is not clear whether they refused to pay which might have been a trigger or that the contact of the patients would have taken place anyway," he said.

In addition to the oddity of blackmailing patients rather than the organization itself, the government's overall response to the incident was also uncommon. That response included Finland's interior minister calling an emergency meeting with key cabinet members and providing emergency counseling services to potential victims of the extortion scheme.

"I'd say the overall response has been atypical because of the special nature of data and the vast amount of victims," Muurman said. "In this case variety of other entities and organizations like NGOs are involved in helping the victims, which is not typical for cybercrime case."

How it began

According to a blog post by Juliana Crema and Bernhard Schneider, staff members of the CyberPeace Institute, the attackers leaked sensitive patient data after Vastaamo reportedly declined to pay a ransom of 40 bitcoin.

"Vastaamo refused to do this, and so the attackers began to leak patient data onto the dark web, and are threatening to release a further 100 patient records every day that the ransom is not paid. In an attempt to acquire further payment, the attackers offered to delete data of patients affected by the breach in return for 500 EUR. In addition, the attackers began to contact the patients directly via email using the pseudonym 'ransom_man', and giving a deadline of 72 hours to pay ransom," Crema and Schneider wrote in the blog post.

Finland police also reported that in late October, Vastaamo's customer information was published on dark web sites "on the Tor network."

Once blackmail demands began, shock set in at the ability for attackers to violate such highly sensitive information of some 40,000 patients Vastaamo has treated. "Never have we seen outrage about a cybercrime at such a level," Arntz wrote in a blog post last month.

The CyberPeace Institute said the perpetrator targeted a highly vulnerable population by leveraging among the most sensitive type of medical data, calling the attack "unprecedented."

Kevin Epstein, vice president of Premium Security Services, said extortion has emerged in the past few years as the next logical stage of ransom attacks.

"Extortion-based attacks are a particularly pernicious issue, emphasizing the value of privacy and the challenges surrounding defense," he said.

While data leak and extortion isn't new and is often a tactic used in ransomware attacks, the sensitivity of the protected health information and the fact that it was not obtained through a ransomware attack is significant. The number of victims directly targeted is also what makes this attack different, according to the CyberPeace Institute. 

Fallout extends beyond blackmail

Repercussions of the breach also included the firing of Vastaamo CEO Ville Tapio because according to the blog by Arntz, "he was considered to be aware of the breaches and of shortcomings in the psychotherapy provider's data security system."

Arntz also wrote that extortionists have already published some 300 files using the anonymous Tor communication software.

According to the Helsinki Times on Friday, the leak has forced at least one healthcare organization to cut ties with Vastaamo: Kela, the Social Insurance Institution of Finland.

In addition to the ransom demands, Vastaamo posted another concern on Facebook on Oct. 27.

"It has come to our attention that there is a message on Facebook that registered letters were sent in the name of Vastaamo. This is NOT the case! The counterparty has approached customers who were subjected to a data breach by email or in the absence of an email address with a paper letter. So, if you receive a registered letter sent by Vastaamo, it's most likely sent by someone else," Vastaamo wrote on Facebook (translated from Finnish).

In all of the releases pertaining to the breach, the NBI advises victims not to pay the blackmailer "as this will not ensure secrecy of the compromised information."

While he could not provide an update to the investigation, Muurman said information from different sources is being analyzed. "In general, [the] investigation is very intensive at the moment."

Dig Deeper on Threats and vulnerabilities