Jukka-Pekka Puro will never forget 2017. The university lecturer from southwestern Finland found himself battling depression and facing a heartbreaking divorce. This spiralled into suicidal ideations when doctors told him that he had aggressive kidney cancer and no more than a few years to live. It was at this point he looked to Vastaamo a private company offering therapy across 25 centres in Finland.
Jukka divulged intimate details about his personal life, his mental health and the prospect of dying soon. Over time Jukka’s therapist moved on to other clients advising him "there was nothing more he could do to help". However, the story has another dark turn, one that shook him to the core.
In October 2020, news broke that Vastaamo's centres endured a cyber breach the data of 400 employees and over 400 000 patients were stolen. Names, contact details, government identity numbers were all stolen by the hackers leaving the victims exposed to fraud and identity theft. The leak also included therapy notes and diagnoses. The criminals found a security flaw in Vastaamo's bespoke IT systems. After attempting to extort 40 bitcoin (worth £403,000) in ransom from the business, the cybercriminals began targeting the patients individually. One of the patients was Puro who received an email on October 24th demanding £150 in 24 hours, increasing to £350 otherwise his conversations with his therapist would be made public.
The extortionist went by the name "RANSOM_MAN" and claimed every day Vastaamo didn't pay 100 clients data would be published online. The company resisted at first resulting in over 300 files being published including various public figures and police officers. “You expect any company recommended by a public-sector hospital to have secure systems to protect their data,” Puro says. “The fact that someone, somewhere knows about my emotions and can read my intimate files is disturbing, but this also affects my wife and children. Somebody knows, for example, how they’ve reacted to my cancer.”
Even for the most experienced cybercriminal investigators, the extortion of Vastaamo's data is unusual and harrowing. Not only due to the size of the breach and the extreme sensitivity of the data, but the pursuit of individuals shows a worrying escalation in cybercriminal tactics. Vastaamo and several of its agents are currently under investigation by the Data Protection Ombudsman and Finland’s National Bureau of Investigation. The case will have wide implications on the healthcare sectors obligations to secure their networks and any data stored.