Hackers hold patient information for ransom in psychotherapy data breach

The National Bureau of Investigations, and other agencies, have launched an investigation into how the data might have become compromised.

File picture inside Vastamo Tampere office / Credit: Vastamo

A company that offers psychotherapy to thousands of patients across Finland says it’s been the victim of a data breach, with the personal information of customers held for ransom.

Vastaamo, which sees patients in 20 cities including Helsinki, Joensuu, Jyväskylä, Pori, Turku and Tampere, says “an unknown hostile party” got in touch with them saying they had obtained customer details.

The company informed authorities including the Finnish Cyber Security Centre, the Data Protection Ombudsman, and the National Supervisory Authority for Welfare and Health Valvira. They also worked with independent security experts to look at what happened, and the National Bureau of Investigation has now launched an investigation into the incident.

“As a company providing psychotherapy services, the confidentiality of customer information is extremely important to us and the starting point for all our operations. We deeply regret the leak due to the data breach” says Tuomas Kahri, Vastaamo’s Chairman of the Board in a statement.

“We are constantly developing our information security and data protection, and we will take additional measures when our own investigations and regulatory investigations are completed” he adds.

Valvira says it didn’t make the matter known to the public, or its patience, until now due to the ongoing police investigation. It’s not known at this time whether the hackers still have the patient information, if the ransom was paid, or if the records were recovered.

It’s unclear how many patient records might have been stolen by the blackmailers, nor how long they’ve had access to Valvira’s data systems. There is also no word yet on how much money is being demanded by the hackers.