The huge data security breach and cyber-ransom attack at Finland’s Vastaamo Psychotherapy Centre has provoked a swift response from the government, which is primed to introduce more rigid laws and measures to protect the country’s databases and sensitive information from cyber criminals.
Hackers penetrated Vastaamo’s patient database and central medical records register in November 2018 and again in the spring of 2019, but it was only in September this year that Vastaamo’s board informed authorities about the hack.
The breach at Vastaamo, which affected more than 40,000 patients, resulted in a wave of ransom demands from the hackers. The breach is being investigated by Finland’s National Bureau of Investigation (NBI) in collaboration with cyber crime experts from the National Cyber Security Centre and SuPo, Finland’s national security and intelligence service.
The government’s new anti-hack measures aim to strengthen identity verification protocols and simplify the process of changing personal ID codes. At present, individuals are only permitted to change their personal ID numbers in exceptional circumstances, and the new legislation will tighten regulations and controls around the secure handling of personal ID codes.
In a significant bolstering of Finland’s data security laws, new legislation will require all enterprises offering social and healthcare services to join Kanta’s state-run national digital services platform. Kanta operates a secure database system that requires enhanced electronic recognition, supported by banking codes, to access social welfare and healthcare sector databases. All public sector social welfare and healthcare services use the Kanta system, which is voluntary for private enterprises.
Under the Finnish government’s proposals, the oversight for all serious cyber security matters will move to a single ministry. At present, responsibility for oversight of cyber crime issues and personal data security is spread across multiple branches of government, including the ministries of transport and communications, interior and finance, with each adopting different approaches on network security and data hacks.
“The urgency for new and more robust legislation is unquestionable,” said Sirpa Paatero, minister for local government, which operates as part of the Ministry of Finance. “The data breach and extortion of Vastaamo has created innocent victims. Sensitive personal data has fallen into the hands of criminals. It is our intention to have a legislative bill ready to bring to parliament early in 2021.”
Public disclosure of the serial data breaches at Vastaamo emerged on 29 September and an internal probe launched by the company’s board resulted in the dismissal of CEO Ville Tapio in October.
The investigation found that Tapio had failed to inform the board, patients and law enforcement authorities about cyber attacks and data breaches that took place in 2018 and 2019. The inquiry also criticised Tapio for failing to inform the board or authorities about historic shortcomings in Vastaamo’s IT security systems.
In dismissing the CEO, Vastaamo’s board rejected Tapio’s explanation that he first became aware of data breaches in October 2020 following a comprehensive audit of the private psychotherapy service company’s IT security infrastructure and data storage registers. The board determined that Tapio had known about the data breaches in 2018 and 2019 but chose to conceal the events from the board and authorities.
Vastaamo’s principal owner, Helsinki-based venture capital group Intera Partners, responded to the September revelations of data breaches and extortion demands by filing a lawsuit relating to its acquisition of Vastaamo in May 2019.
Intera had commissioned a pre-takeover audit of Vastaamo’s IT and data security systems that formed part of due diligence on the transaction in the spring of 2019. That audit did not uncover any “critical data security shortfalls” in Vastaamo’s IT security and personal data storage systems, said Intera CEO Jokke Paananen.
“If Intera had been informed by Vastaamo of the data security breaches, or had known about historical problems with deficiencies in its IT security systems, we would not have moved forward with the acquisition,” said Paananen. “Neither Intera nor Vastaamo’s board was told about IT security shortcomings or the data breach in March 2019. We now know that Vastaamo’s CEO was aware of data breaches in 2018 and 2019, as well as problems with its data security protection and defences.”
Vastaamo’s public disclosure of the data hacks in late September resulted in the company liaising with patients and their families regarding steps being taken to protect the integrity of data housed on its records databases and registers.
The company delayed informing clients about the data hack following instructions from the NBI. Patients and their families were asked not to liaise with the cyber hackers, nor pay out on the bitcoin ransom demands seeking sums of €200 to €500, said Tuomas Kahri, Vastaamo’s chairman.
“The investigating authorities asked that we limit our communications and the sharing of information about the matter,” he said. “Police cited operational reasons for imposing reporting restrictions on us.”
Vastaamo, which is offering professional therapy counseling to affected patients and their families, continues to assess the scale of the data breach and the impact on its patients. The company is also providing new data uncovered during deep analysis of its IT security systems to both the NBI and Finland’s data protection ombudsman.
In early October, Vastaamo contracted Nixu to inspect and upgrade security on its data storage, management and retrieval systems. The IT company, which found no evidence of further data breaches after March 2019, has passed information gathered from its forensic appraisal to the NBI and other authorities.
Linked to the extortion demands, hackers have posted acutely sensitive files, including patient diagnoses, medical history records and contact information, on the dark web. The extortion, which sought payment of a bitcoin ransom totalling €1m to cease further public leaking of confidential patient information, extensively targeted Vastaamo’s senior managers and individual patients.
The hackers threatened to publish the details of 100 patients each day until its ransom demands were met. The first tranche of confidential medical records was published on the dark web on 21 October. Since then, based on NBI data, between 14 and 20 client “victims” of Vastaamo have yielded to extortion demands and paid the ransom to the hackers’ undisclosed bitcoin account.
Payment in bitcoin is not an entirely anonymous transaction and can be traced, said Mikko Hyppönen, chief research officer at Finnish security software maker F-Secure.
“Bitcoin is difficult, but not impossible, to trace,” he said. “The ideal situation would be if the extortionist converts the bitcoin into euros, dollars or roubles. It will then be possible to trace the money like in the real world. From what we can see in the case of Vastaamo, this hasn’t happened yet.”