Hundreds of mental health patients at Vastaamo Clinic in Helsinki are finding blackmail notices after their personally identifiable information (PII) was reportedly stolen by cyber-attackers.
Vastaamo Clinic said that it is “likely” the records were first accessed in November 2018 and again between December 2018 and March 2019.
Hundreds, if not potentially thousands of people appear to have had their records stolen – many of which received care paid for by Finnish Social Security (Kela).
These stolen clinical records are reportedly being published to the Dark Web on a daily basis and the hackers said they do not intend to stop until they are paid $530,000 in bitcoin.
These cyber-criminals are blackmailing both the organization and individuals affected and are contacting individuals with extortion demands of between $200-$800 in bitcoin.
If the individuals pay the extortion demand, the criminals claim that they will delete their private records.
Stolen records include patient names, email addresses, and telephone numbers including information belonging to both minors and adults.
They also gained access to notes relating to individual therapy sessions as well.
F-Secure chief research officer Mikko Hyppönen, who is based in Finland, confirmed that therapist session notes belonging to 300 patients had been leaked online.
In an emergency meeting held on Sunday by cabinet members, Finland’s president, Sauli Niinisto, called the blackmail “cruel” and “repulsive”.
In a statement posted to the firm’s website, Vastaamo said the “emergency caused by the crisis is great”.
Vastaamo said they are working with law enforcement to investigate and offer crisis support.
Those contacted with extortion demands are asked to not pay the ransom but rather report the incident and file a report with the police