Article about data breach leaking records of mental health patients in Finland

[Stevicus]

They Told Their Therapists Everything. Hackers Leaked It All | WIRED

The article centers on a young man in Finland who received mental health treatment as a teenager, only to find that his records (including the therapist's notes) were stored electronically and then hacked. He (along with tens of thousands of others) received an email demanding 200 Euros worth of Bitcoin for them to delete his records.

A few days earlier, Vastaamo had announced a catastrophic data breach. A security flaw in the company’s IT systems had exposed its entire patient database to the open internet—not just email addresses and social security numbers, but the actual written notes that therapists had taken. A group of hackers, or one masquerading as many, had gotten hold of the data. The message in Jere’s inbox was a ransom demand.

“If we receive €200 worth of Bitcoin within 24 hours, your information will be permanently deleted from our servers,” the email said in Finnish. If Jere missed the first deadline, he’d have another 48 hours to fork over €500, or about $600. After that, “your information will be published for all to see.”

Jere had first gone to Vastaamo when he was 16. He had dropped out of school and begun to self-harm, he says, and was consuming “extreme amounts” of Jägermeister each week. His girlfriend at the time insisted he get help; she believed it was the only way Jere would see his 18th birthday.

During his therapy sessions, Jere spoke about his abusive parents—how they forced him, when he was a young kid, to walk the nearly 4 miles home from school, or made him sleep out in the garden if he “was being a disappointment.” He talked about using marijuana, LSD, DMT. He said he’d organized an illegal rave and was selling drugs. He said he’d thought about killing himself. After each session, Jere’s therapist typed out his notes and uploaded them to Vastaamo’s servers. “I was just being honest,” Jere says. He had “no idea” that they were backing the information up digitally.

Vastaamo ran the largest network of private mental-health providers in Finland. In a country of just 5.5 million—about the same as the state of Minnesota—it was the “McDonald’s of psychotherapy,” one Finnish journalist told me. And because of that, the attack on the company rocked all of Finland. Around 30,000 people are believed to have received the ransom demand; some 25,000 reported it to the police. On October 29, a headline in the Helsinki Times read: “Vastaamo Hacking Could Turn Into Largest Criminal Case in Finnish History.” That prediction seems to have come true.

If the scale of the attack was shocking, so was its cruelty. Not just because the records were so sensitive; not just because the attacker, or attackers, singled out patients like wounded animals; but also because, out of all the countries on earth, Finland should have been among the best able to prevent such a breach. Along with neighboring Estonia, it is widely considered a pioneer in digital health. Since the late 1990s, Finnish leaders have pursued the principle of “citizen-centered, seamless” care, backed up by investments in technology infrastructure. Today, every Finnish citizen has access to a highly secure service called Kanta, where they can browse their own treatment records and order prescriptions. Their health providers can use the system to coordinate care.

Vastaamo was a private company, but it seemed to operate in the same spirit of tech-enabled ease and accessibility: You booked a therapist with a few clicks, wait times were tolerable, and Finland’s Social Insurance Institution reimbursed a big chunk of the session fee (provided you had a diagnosed mental disorder). The company was run by Ville Tapio, a 39-year-old coder and entrepreneur with sharp eyebrows, slicked-back brown hair, and a heavy jawline. He’d cofounded the company with his parents. They pitched Vastaamo as a humble family-run enterprise committed to improving the mental health of all Finns.

For nearly a decade, the company went from success to success. Sure, some questioned the purity of Tapio’s motives; Kristian Wahlbeck, director of development at Finland’s oldest mental health nonprofit, says he was “a bit frowned-upon” and “perceived as too business-minded.” And yes, there were occasional stories about Vastaamo doing shady-seeming things, such as using Google ads to try to poach prospective patients from a university clinic, as the newspaper Iltalehti reported. But people kept signing up. Tapio was so confident in what he’d created that he spoke about taking his model overseas.

Vastaamo has since gone out of business, and they're still trying to sort through all this mess. The hacker, known as "ransom_man" has still not been identified or caught, although the patient records are still out there floating around in the ether.

This is just...outrageous. I'm wondering if they can "mark" Bitcoin like they do with paper currency.

I guess the lesson here is, if anyone is planning to see a psychiatrist, be sure to inquire about how records are kept and what kind of security they use.

 

[Brickjectivity]

They Told Their Therapists Everything. Hackers Leaked It All | WIRED

The article centers on a young man in Finland who received mental health treatment as a teenager, only to find that his records (including the therapist's notes) were stored electronically and then hacked. He (along with tens of thousands of others) received an email demanding 200 Euros worth of Bitcoin for them to delete his records.





Vastaamo has since gone out of business, and they're still trying to sort through all this mess. The hacker, known as "ransom_man" has still not been identified or caught, although the patient records are still out there floating around in the ether.

This is just...outrageous. I'm wondering if they can "mark" Bitcoin like they do with paper currency.

I guess the lesson here is, if anyone is planning to see a psychiatrist, be sure to inquire about how records are kept and what kind of security they use.

Its no different from keeping financial data unencrypted, like the time that the enormous hardware store chain called Home Depot stubbornly ignored all sound advice about encrypting their customer's credit card data, then got hacked, like clockwork.

I think the therapist and their data company share some responsibility for not storing this data in an encrypted form, but they could be given some leniency since electronic formats are new. They are partly liable I think, but anyone as of 2021 who is storing data like that in an unencrypted form is being negligent.

 

[Shadow Wolf]

I'm wondering if they can "mark" Bitcoin like they do with paper currency.

No. Cryptocurrency has nothing physical to it. It's just data that exists on servers, and there is no real central authority or figure over it. It's basically an odd fiat currency that is nebulous in practice and free of the normal things that would effect a currency's value. There are several of them that intentionally keep the value of the digital currency at being as close to $1 as possible, theoretically allowing someone to preserve the value of their monetary wealth by purchasing this digital currency that, regardless of what happens to their own real world currency, will always be worth 1USD.
And, again, there is nothing centralized about this.

 

[Saint Frankenstein]

No. Cryptocurrency has nothing physical to it. It's just data that exists on servers, and there is no real central authority or figure over it. It's basically an odd fiat currency that is nebulous in practice and free of the normal things that would effect a currency's value. There are several of them that intentionally keep the value of the digital currency at being as close to $1 as possible, theoretically allowing someone to preserve the value of their monetary wealth by purchasing this digital currency that, regardless of what happens to their own real world currency, will always be worth 1USD.
And, again, there is nothing centralized about this.

From Google:
"1 Bitcoin equals
57,192.80 United States Dollar"

I need to get into Bitcoin mining, obviously.

 

[Shadow Wolf]

From Google:
"1 Bitcoin equals
57,192.80 United States Dollar"

I need to get into Bitcoin mining, obviously.

It takes a ton of power to do that. It's not really something a regular/average person can do.

 

[Stevicus]

No. Cryptocurrency has nothing physical to it. It's just data that exists on servers, and there is no real central authority or figure over it. It's basically an odd fiat currency that is nebulous in practice and free of the normal things that would effect a currency's value. There are several of them that intentionally keep the value of the digital currency at being as close to $1 as possible, theoretically allowing someone to preserve the value of their monetary wealth by purchasing this digital currency that, regardless of what happens to their own real world currency, will always be worth 1USD.
And, again, there is nothing centralized about this.

I know next to nothing about it, although if it's in data packets, I was wondering if it was possible to surreptitiously add some encrypted code which can allow someone to track it. How do they use it? Do they keep it in a regular bank account? Can they go down to the bank and just get cash in exchange for Bitcoin?

 

[Shadow Wolf]

I know next to nothing about it, although if it's in data packets, I was wondering if it was possible to surreptitiously add some encrypted code which can allow someone to track it. How do they use it? Do they keep it in a regular bank account? Can they go down to the bank and just get cash in exchange for Bitcoin?

No to all of that.
You sign up for I currency exchange thingy (I use Coinbase), link bank account to buy digital currency, and then you own nothing that has a physical presence, it has no central organization or server, and there is nothing to insure if it's lost.
Regulators around the world want to clamp down on it, but it's designed to work around that.
And it is explosively volatile. This is Bitcoins growth since it began (there are hundreds of digital currencies).

And to use it you spend it at places that accept it. Which aren't many because many retailers, banks, and investors are skeptical and hesitant. There's soon to be a debit card, but I don't know how that will work out.

 

[Saint Frankenstein]

It takes a ton of power to do that. It's not really something a regular/average person can do.

I know. But, damn. Lol.

 

[Twilight Hue]

They Told Their Therapists Everything. Hackers Leaked It All | WIRED

The article centers on a young man in Finland who received mental health treatment as a teenager, only to find that his records (including the therapist's notes) were stored electronically and then hacked. He (along with tens of thousands of others) received an email demanding 200 Euros worth of Bitcoin for them to delete his records.





Vastaamo has since gone out of business, and they're still trying to sort through all this mess. The hacker, known as "ransom_man" has still not been identified or caught, although the patient records are still out there floating around in the ether.

This is just...outrageous. I'm wondering if they can "mark" Bitcoin like they do with paper currency.

I guess the lesson here is, if anyone is planning to see a psychiatrist, be sure to inquire about how records are kept and what kind of security they use.

Better still. Blab your secrets to no one.

 

[Stevicus]

No to all of that.
You sign up for I currency exchange thingy (I use Coinbase), link bank account to buy digital currency, and then you own nothing that has a physical presence, it has no central organization or server, and there is nothing to insure if it's lost.
Regulators around the world want to clamp down on it, but it's designed to work around that.
And it is explosively volatile. This is Bitcoins growth since it began (there are hundreds of digital currencies).
View attachment 50257
And to use it you spend it at places that accept it. Which aren't many because many retailers, banks, and investors are skeptical and hesitant. There's soon to be a debit card, but I don't know how that will work out.

I don't know. It just seems kind of shady to me. I know it's used for shady transactions on the dark web. Out of curiosity, I got a Tor browser and started looking at some things, and some of this stuff is bad. I mean, really bad. Makes me wonder who is behind all of it. There's always a lot of finger-pointing at the Russians, although conceivably, anyone from any country could be involved in these activities.

 

[Stevicus]

Better still. Blab your secrets to no one.

That's probably a good policy.

 

[Shadow Wolf]

I don't know. It just seems kind of shady to me. I know it's used for shady transactions on the dark web. Out of curiosity, I got a Tor browser and started looking at some things, and some of this stuff is bad. I mean, really bad. Makes me wonder who is behind all of it. There's always a lot of finger-pointing at the Russians, although conceivably, anyone from any country could be involved in these activities.

That's not all it's used for. For many it's an investment to make money. Legit businesses use it as a (often legally grey) way for those in other countries to more easily to purchase goods (this is a bulk of those doing online gambling in the US).
And it's not just countries but corporations who are involved. Particularly larger ones who can pool resources to make mining profitable.

 

[Shadow Wolf]

I never would have guessed getting into online poker would have me explaining cryptocurrency, lmao.

 

[Stevicus]

Well, I just hope they catch whoever did this.