Finnish therapy clinic’s CEO fired after despicable data breach and blackmail threats

Vastaamo therapy patients are being blackmailed by hacker.

Graham Cluley
@gcluley

Therapy clinic Vastaamo has fired its CEO Ville Tapio in the wake of a disastrous data breach which has seen patients’ personal details, as well as notes of what has been discussed in confidential therapy sessions, exposed.

After demanding Vastaamo pay a ransom of 450,000 Euros, the hacker has emailed victims in an attempt to extort 200 Euros worth of Bitcoin.

Victims were told that if they didn’t pay 200 Euros, the ransom would rise to 500 Euros after 24 hours, and then sensitive information would be published online after 72 hours had elapsed.

It is thought that the hacker, who is going by the name “ransom_man”, may have seized psychotherapy session notes related to as many as 40,000 patients, with a 10 GB file containing private notes related to at least 2000 patients already published on the dark web.

To compound the horror of the incident, some of the patients embroiled in the data breach are children.

According to BBC News, Vastaamo has set up a telephone hotline for victims, and is offering those affected “one free therapy session, the details of which will not be recorded.”

Yeah, well. Too bloody right it shouldn’t be recorded.

Sign up to our newsletter
Security news, advice, and tips.

An investigation has uncovered that the database of customer details and therapy session notes was first breached in November 2018, but there was another security breach in mid-March 2019 which apparently CEO Ville Tapio knew about but – for reasons best known to himself – did not inform the appropriate authorities or with other members of Vastaamo’s board.

News of Vastaamo’s devastating data breach was not made public until 18 months later on October 21, 2020, and Tapio was dismissed yesterday.

One of those who received a threat of blackmail from the hacker was former MP Kirsi Piha. She posted a screenshot of the ransom message on Twitter, alongside a defiant message that she seeking help through therapy was not shameful.

I don’t have any sympathy for cybercriminals at the best of times, but this is possible the most despicable act related to a data breach I have ever witnessed.

I would like to think that local cybersecurity experts are helping the Finnish authorities to track down whoever is responsible, so that the culprit can be brought swiftly to justice.

Questions must also be asked, of course, as to how Vastaamo’s data could have been accessed by a hacker so easily.

Victim Support Finland has published advice for those affected by the data breach.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.