Threat Watch

Hundreds of Patient Records Leaked in Vastaamo Breach

Last Wednesday, Finnish Psychotherapy Center Vastaamo announced an incident in which a threat actor demanded an extortion payment in return for a promise not to publish a stolen patient database. Cybersecurity company Nixu, which is investigating the incident, found that the breach likely happened in November 2018. Any patients registered after that date are not currently believed to be involved in the breach. Unfortunately, a second breach occurred in March 2019 as well, though it is unknown if the intruder viewed or copied patient records this time.

The threat actor making demands first contacted three employees asking for 40 bitcoins not to release the stolen records. Since the public announcement, the actor has published over 300 patient records on a Tor website. To make matters even worse, the actor then decided to email each of the victims to demand $240 in bitcoin to remove their individual records from the site. Vastaamo is currently offering victims support via phone calls, giving advice on what to do if their records are published online.

ANALYST NOTES

Situations like these are tough because nobody wants their private mental health information exposed to the world. However, as tempting as it may seem to give in to the demands and pay the ransom, there is never any guarantee that the information will be deleted. Even if the threat actor does delete the information, it could have been downloaded by someone else or they may have kept a copy to extort victims again and again. Binary Defense highly recommends any victim not make the payment in situations like these. The best situation is to keep the data theft from happening in the first place by carefully monitoring security events from workstations, servers, and network devices. A skilled team of analysts working in a 24/7 Security Operations Center can detect intruders who make it past perimeter defenses and stop attacks before they access the most sensitive information. Binary Defense offers round-the-clock coverage of SIEM and MDR through the Security Operations Task Force, and also investigations and monitoring of information posted on Darknet websites through the work of the Counterintelligence team.

Source: https://www.bleepingcomputer.com/news/security/finnish-psychotherapy-clinic-discloses-data-breach-victims-extorted/