Cyber Incident Victim: Psykoterapiakeskus Vastaamo
Date:
Oct 2020
Location:
Finland
Summary
A Finnish psychotherapy center suffered a ransomware attack compromising sensitive records of up to 40,000 patients, with the threat actor demanding cryptocurrency payments to prevent data leaks. The attacker exfiltrated therapy session notes, personal identity numbers, treatment plans, and appointment histories, later directly extorting individual patients by sending messages impersonating the center's communications. Initially thought to involve older records, the breach scope expanded with indications that more recent patient data may also have been accessed. While video sessions remained secure, the incident exposed extensive clinical details and personal information. The intrusion method and reasons for undetected system penetration remained undisclosed, raising unresolved questions about security measures and whether multiple breaches occurred.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Vastaamo psychotherapy center in Finland experienced a significant data breach involving patient records, first publicly acknowledged around October 2020. A threat actor gained unauthorized access to records of approximately 40,000 patients registered before November 2018, with later indications suggesting potential compromise of data up to March 2019. The attacker demanded a ransom of 40 Bitcoin (approximately €450,000) to prevent public data release, contacting both Vastaamo and media outlets like Ilta-Sanomat. Ransom messages sent directly to patients used titles such as "Answering Office Information" and included personal identity details to authenticate the threats. Compromised information encompassed patient contact details, national identity numbers, therapist session notes, appointment histories, care plans, treatment goals, and administrative documents submitted to authorities. Video therapy sessions were not recorded and remained unaffected. Vastaamo confirmed the breach impacted two distinct time periods but did not clarify whether this resulted from separate intrusions or expanded access during a single incident. The attacker exhibited potential language barriers, soliciting assistance with Finnish ransom demands, though this may have been deliberate misdirection.
Vastaamo initiated patient notifications following authorization from Finnish government agencies, directing individuals to official communications channels to distinguish legitimate correspondence from fraudulent ransom attempts. The organization updated its website with breach details and FAQs but did not disclose the intrusion method, duration of unauthorized access, or reasons security systems failed to detect data exfiltration. Public speculation arose regarding whether defenses were disabled or inadequately implemented. Immediate consequences included widespread patient distress over sensitive mental health data exposure and extortion risks, compounded by uncertainties around the breach's full scope. Media reports highlighted inconsistencies in Vastaamo’s timeline disclosures, particularly regarding whether the intrusion occurred prior to November 2018 or involved more recent system access. Authorities and cybersecurity observers emphasized the severity of exposing psychotherapy records, which carry heightened privacy sensitivities. The incident remained under active investigation with unresolved questions about attacker identity, potential data dissemination beyond ransom threats, and systemic vulnerabilities enabling the compromise.