They Told Their Therapists Everything. Hackers Leaked It All | WIRED
The article centers on a young man in Finland who received mental health treatment as a teenager, only to find that his records (including the therapist's notes) were stored electronically and then hacked. He (along with tens of thousands of others) received an email demanding 200 Euros worth of Bitcoin for them to delete his records.
Vastaamo has since gone out of business, and they're still trying to sort through all this mess. The hacker, known as "ransom_man" has still not been identified or caught, although the patient records are still out there floating around in the ether.
This is just...outrageous. I'm wondering if they can "mark" Bitcoin like they do with paper currency.
I guess the lesson here is, if anyone is planning to see a psychiatrist, be sure to inquire about how records are kept and what kind of security they use.
The article centers on a young man in Finland who received mental health treatment as a teenager, only to find that his records (including the therapist's notes) were stored electronically and then hacked. He (along with tens of thousands of others) received an email demanding 200 Euros worth of Bitcoin for them to delete his records.
A few days earlier, Vastaamo had announced a catastrophic data breach. A security flaw in the company’s IT systems had exposed its entire patient database to the open internet—not just email addresses and social security numbers, but the actual written notes that therapists had taken. A group of hackers, or one masquerading as many, had gotten hold of the data. The message in Jere’s inbox was a ransom demand.
“If we receive €200 worth of Bitcoin within 24 hours, your information will be permanently deleted from our servers,” the email said in Finnish. If Jere missed the first deadline, he’d have another 48 hours to fork over €500, or about $600. After that, “your information will be published for all to see.”
Jere had first gone to Vastaamo when he was 16. He had dropped out of school and begun to self-harm, he says, and was consuming “extreme amounts” of Jägermeister each week. His girlfriend at the time insisted he get help; she believed it was the only way Jere would see his 18th birthday.
During his therapy sessions, Jere spoke about his abusive parents—how they forced him, when he was a young kid, to walk the nearly 4 miles home from school, or made him sleep out in the garden if he “was being a disappointment.” He talked about using marijuana, LSD, DMT. He said he’d organized an illegal rave and was selling drugs. He said he’d thought about killing himself. After each session, Jere’s therapist typed out his notes and uploaded them to Vastaamo’s servers. “I was just being honest,” Jere says. He had “no idea” that they were backing the information up digitally.
Vastaamo ran the largest network of private mental-health providers in Finland. In a country of just 5.5 million—about the same as the state of Minnesota—it was the “McDonald’s of psychotherapy,” one Finnish journalist told me. And because of that, the attack on the company rocked all of Finland. Around 30,000 people are believed to have received the ransom demand; some 25,000 reported it to the police. On October 29, a headline in the Helsinki Times read: “Vastaamo Hacking Could Turn Into Largest Criminal Case in Finnish History.” That prediction seems to have come true.
If the scale of the attack was shocking, so was its cruelty. Not just because the records were so sensitive; not just because the attacker, or attackers, singled out patients like wounded animals; but also because, out of all the countries on earth, Finland should have been among the best able to prevent such a breach. Along with neighboring Estonia, it is widely considered a pioneer in digital health. Since the late 1990s, Finnish leaders have pursued the principle of “citizen-centered, seamless” care, backed up by investments in technology infrastructure. Today, every Finnish citizen has access to a highly secure service called Kanta, where they can browse their own treatment records and order prescriptions. Their health providers can use the system to coordinate care.
Vastaamo was a private company, but it seemed to operate in the same spirit of tech-enabled ease and accessibility: You booked a therapist with a few clicks, wait times were tolerable, and Finland’s Social Insurance Institution reimbursed a big chunk of the session fee (provided you had a diagnosed mental disorder). The company was run by Ville Tapio, a 39-year-old coder and entrepreneur with sharp eyebrows, slicked-back brown hair, and a heavy jawline. He’d cofounded the company with his parents. They pitched Vastaamo as a humble family-run enterprise committed to improving the mental health of all Finns.
For nearly a decade, the company went from success to success. Sure, some questioned the purity of Tapio’s motives; Kristian Wahlbeck, director of development at Finland’s oldest mental health nonprofit, says he was “a bit frowned-upon” and “perceived as too business-minded.” And yes, there were occasional stories about Vastaamo doing shady-seeming things, such as using Google ads to try to poach prospective patients from a university clinic, as the newspaper Iltalehti reported. But people kept signing up. Tapio was so confident in what he’d created that he spoke about taking his model overseas.
Vastaamo has since gone out of business, and they're still trying to sort through all this mess. The hacker, known as "ransom_man" has still not been identified or caught, although the patient records are still out there floating around in the ether.
This is just...outrageous. I'm wondering if they can "mark" Bitcoin like they do with paper currency.
I guess the lesson here is, if anyone is planning to see a psychiatrist, be sure to inquire about how records are kept and what kind of security they use.