Therapy patients blackmailed for cash after clinic data breach

Previous discussion, 2 days ago: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=24886039" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=24886039</a>

The police have received over 13500 crime reports already, so this may well become the largest Finnish criminal case in history in terms of number of victims (Finnish source: <a href="https:&#x2F;&#x2F;www.hs.fi&#x2F;kotimaa&#x2F;art-2000006702261.html" rel="nofollow">https:&#x2F;&#x2F;www.hs.fi&#x2F;kotimaa&#x2F;art-2000006702261.html</a>).<p>Though I don&#x27;t think it is yet known how many of those crime reports concern blackmail, unauthorized data release, or other crimes related to the data breach.<p>A couple of English links:<p><a href="https:&#x2F;&#x2F;yle.fi&#x2F;uutiset&#x2F;osasto&#x2F;news&#x2F;court_freezes_assets_as_vastaamo_probe_looks_for_answers&#x2F;11616779" rel="nofollow">https:&#x2F;&#x2F;yle.fi&#x2F;uutiset&#x2F;osasto&#x2F;news&#x2F;court_freezes_assets_as_v...</a> -- <a href="https:&#x2F;&#x2F;yle.fi&#x2F;uutiset&#x2F;osasto&#x2F;news&#x2F;vastaamo_board_fires_ceo_says_he_kept_data_breach_secret_for_year_and_a_half&#x2F;11614603" rel="nofollow">https:&#x2F;&#x2F;yle.fi&#x2F;uutiset&#x2F;osasto&#x2F;news&#x2F;vastaamo_board_fires_ceo_...</a> -- <a href="https:&#x2F;&#x2F;yle.fi&#x2F;uutiset&#x2F;osasto&#x2F;news&#x2F;president_niinisto_this_affects_all_of_us&#x2F;11612622" rel="nofollow">https:&#x2F;&#x2F;yle.fi&#x2F;uutiset&#x2F;osasto&#x2F;news&#x2F;president_niinisto_this_a...</a> (Yle News)<p><a href="https:&#x2F;&#x2F;www.poliisi.fi&#x2F;about_the_police&#x2F;press_releases&#x2F;1&#x2F;0&#x2F;nbi_to_continue_criminal_investigation_into_exceptionally_large-scale_hacking_of_psychotherapy_customer_files_94237" rel="nofollow">https:&#x2F;&#x2F;www.poliisi.fi&#x2F;about_the_police&#x2F;press_releases&#x2F;1&#x2F;0&#x2F;n...</a> (Police)<p><a href="https:&#x2F;&#x2F;tietosuoja.fi&#x2F;en&#x2F;-&#x2F;advice-for-the-victims-of-the-data-leak" rel="nofollow">https:&#x2F;&#x2F;tietosuoja.fi&#x2F;en&#x2F;-&#x2F;advice-for-the-victims-of-the-dat...</a> (Data Protection Ombudsman)

Decades ago one of my first jobs was as an IT bod for a regional health service.<p>One of their facilities was an family psychiatry centre. The staff there refused to let their records be held centrally, and instead had everything on clunky PCs bolted into lockable safes in the corner of each doctor&#x27;s office. When the safe opened the keyboard slid out.<p>The doctor in charge had also built their own database that they used. Early adopters, before the rest of the health service was modernizing with newfangled computer thingies. Clever people, those doctors.

This is so insane and so tragic. The anguish these people are going through right now is unconscionable. And the people doing this are truly the scum of the earth.<p>It also raises the question whether certain records just ought not to be digitized, ever. I saw a therapist a few years ago. I asked her at the start, while reviewing her Ts&amp;Cs, about the service she used to store her client data. It was a very secure online service, she assured me. Yeah right, I thought. I asked her to keep my records on paper in her locked filing cabinet instead, and she agreed. I would really recommend the same course of action to anyone.

A funny piece of advice, I have an actually very good friend (we still are, but at a point in history our relations became a bit dark) who knew that I was going into therapy. I didn&#x27;t actually accept the fact that I had to go well, and I felt ashamed and weak when we talked about it. Little did he knew, in the meantime I got much better, accepted the fact and started freely speaking about it with other people here and there. Not when not asked, but when the topic of mental health came along, I wasn&#x27;t shy to expose the fact and encourage people to seek their own. And in one relatively big dispute (minor from this distance), he kind of tried exposing it against me in front of some mutual friends who actually already knew (I told them in the meantime). Well, he looked like massive jackass.<p>In conclusion, don&#x27;t be ashamed for seeking therapy. Yes, it may feel shameful now, which is completely unwarranted, but a part of the process of healing is also dealing with the existence of the issue itself and taking a different stance at mental health issues.<p>As for the blackmailers... just rot in hell.

Yet another instance of &quot;if you&#x27;re not doing anything wrong, you&#x27;ve got nothing to hide&quot; being a very poor argument against robust privacy protections.

I trained as a therapist a decade ago, and even then it was written into my organisational code of ethics that patient notes be stored encrypted with identifying codes rather than names, and the list of name &#x2F; numbers stored and encrypted separately. While our code of practice didn&#x27;t specify scheme or location, it&#x27;s pretty awful that this company didn&#x27;t seem to have anything in place. But I guess that&#x27;s to be expected from what sounds like a corporate firm rather than a set of practitioners. At this scale, clients are just numbers on a balance sheet.

A Finnish court just ordered a seizure of almost 10 million euros worth of assets from the ex-CEO and his family.<p>Investors believe that he knew about the breach but covered it up, so now they&#x27;re trying to claw back their money.<p><a href="https:&#x2F;&#x2F;www.mtvuutiset.fi&#x2F;artikkeli&#x2F;jattimainen-takavarikko-vastaamon-ex-toimitusjohtaja-ville-tapion-ja-perheenjasenien-omaisuutta-takavarikkoon-liki-10-miljoonan-euron-edesta&#x2F;7966666" rel="nofollow">https:&#x2F;&#x2F;www.mtvuutiset.fi&#x2F;artikkeli&#x2F;jattimainen-takavarikko-...</a>

&gt; It has set up a helpline and is offering all victims one free therapy session, the details of which will not be recorded.<p>Wow, bet they&#x27;ll have a lot of takers for that. Maybe they should have thought of this concept earlier.

Data at rest must be encrypted.<p>Field level encryption. Just like password files. Salt and hash any potentially identifying information.<p>Translucent Databases shows how. <a href="https:&#x2F;&#x2F;www.amazon.com&#x2F;gp&#x2F;product&#x2F;1441421343" rel="nofollow">https:&#x2F;&#x2F;www.amazon.com&#x2F;gp&#x2F;product&#x2F;1441421343</a><p>Source: Created some of the first medical records digital exchanges (NYCLIX, BHIX, etc) in the mid 2000s. Worked very hard to figure out how to protect patient privacy. This breach and subsequent blackmailing was one of our nightmare scenarios. FWIW, nothing (<i>nothing</i>) has improved since.

Is there a catchy expression for the fact that in the future all data that we believe private will probably be public? Give it a few more security breaches..

<i>Call to action for neural artists:</i> We need deep fakes to generate vast amounts of plausible noise and thereby conceal our sensitive private signal. I feel like the only way our species will regain a sense of privacy is when we&#x27;re concealed in a forest of artificial signal.

Apparent timeline:<p>2018 Nov: Company breached, seems most likely database of 40,000 mental health records including PII (duh), contact information and treatment history and notes was stolen at this time.<p>2019 Mar: Another breach. This causes Vastaamo to increase security and close the holes the hackers used.<p>2019 Apr&#x2F;May: Independent security company (not named) performs audit since the company was to be sold. Some improvements were suggested, no major security flaws were found.<p>2020 Aug&#x2F;Sep: Vastaamo receives threat from hacker if they will not pay 40BTC the hacker will release the database. Until they do the hacker will release 100 records per day.<p>2020 Sep&#x2F;Oct: Infosec company Nixu researches Vastaamo systems, reporting that the breach that stole the database was probably made in November 2018, possibly single records in subsequent breaches.<p>2020 Oct: Individuals whose information was not in the already-leaked records have been contacted and extorted individually.<p>After that, in no particular order:<p>* 300 records have been leaked. The hacker seems to have stopped, though.<p>* Single records not included in the 400 have surfaced on TOR web<p>* A site on TOR was up for a while with several similarly-named files, one a 10GB tar that is rumored to be database. Partial downloads have been reported. Edit: Also program snippets etc included, with possible &#x27;digital fingerprint&#x27; according to Mikko Hyppönen, a well-known Finnish security expert.<p>* An IP address related to the hack has been traced to Inkoo, Finland.<p>CEO claims the 2020 Nixu report was the first time he heard of the breaches and that&#x27;s why the new CEO or board were not informed -- which seems awfully sus, considering several breaches were made and a reactionary battering down the hatches as well as an external audit were made.<p>Further, people who work or used to work at Vastaamo have come out claiming toxic work environment, threats of lawsuits if they speak out against the company, bad working conditions and a large number of ethical violations (like using as advertisement names and reputation of people who don&#x27;t work for them). It also appears they&#x27;ve been sending social security numbers in plaintext over email. Claims have also been made that the database and system were outdated and only had default passwords and no real attempt at securing the data or even servers have been made, but of course nothing is public yet. Possibly never will be.<p>All in all, looks like the previous owner is a bona fide scumbag with all the bells and whistles that entail. And, of course as is fashionable, when asked about these things his responses have been &quot;I have no knowledge of that&quot; and &quot;I do not recall.&quot; And, of course, affected people have found out about this from the news and not Vastaamo themselves.<p>My heart goes out to the people affected, it takes courage and effort to start working out mental health problems and this has probably been a devastating blow to many.

Another crime partially made possible by Bitcoin. This doesn&#x27;t necessarily make Bitcoin or other cryptocurrencies &quot;bad&quot;, but we should keep a score of the advantages and disadvantages of a technology.

Off-topic, but there&#x27;s one funny thing about psychiatric clinics. Waiting rooms are completely silent. Everywhere else, patients (especially elderly) won&#x27;t shut up about their pains and treatments.

There have been previous discussions on HN about why it should be illegal to pay a ransom to hackers. Here is a very good reason why it should not be illegal.

A very good example to show to people that are still in the stupid mindset: &quot;i have nothing to hide because I&#x27;m not a criminal&quot;

Therapy notes should require both therapist and patient to enter a secret passcode to unlock. 2 person consent.

Absolutely horrific. I hope those responsible are identified and apprehended as soon as possible.

I would sue the clinic into oblivion. The clinic is finished anyway, who would go there now?

Maybe some things should just be kept on paper, at the end of the day.

In the interest of accuracy, the title of this post should replace ‘cash’ with ‘Bitcoin’.

So I don&#x27;t speak Finnish, but to commit extortion in Finland you probably need to right?<p>Would this mean that the hackers are probably Finnish?<p>And if that&#x27;s the case, seeing how massive this is for the country. Wouldn&#x27;t this type of action just be crazy risky for them?<p>Good luck to the cops, I hope they get the bad guys and there&#x27;s consequences.