- Highly sensitive notes from therapy sessions were published online in an attempt to blackmail patients
- Hackers bragged about the poor state of firm’s security
Vastaamo, the Finnish psychotherapy practice that covered up a horrific security breach which resulted in patients receiving blackmail threats, has declared itself bankrupt.
Vastaamo’s problems first began in 2018, when it discovered that a database of customer details and – most shockingly – notes from therapy sessions had been accessed by hackers.
You would like to think that security would then be tightened up, but in March 2019, Vastaamo CEO Ville Tapio knew that hackers had in the months since continued to access the chain of private psychotherapy clinics’ systems.
Astonishingly, Tapio did not share that critical information with the appropriate authorities or with other members of Vastaamo’s board – perhaps because he had been responsible for setting up the database’s security himself.
It was only in October 2020 that the truth finally came out, and the criminals published batches of the sensitive records on the dark web. The hackers initially demanded a ransom payment from Vastaamo of about 450,000 euros, before inviting patients to pay approximately 500 euros if they wanted their data taken down.
An estimated 40,000 patients were affected by the breach.
In online posts, the hackers bragged about the poor state of Vastaamo’s security.
Tapio was subsequently fired, and replaced as the company’s CEO.
The damage, however, was too much for Vastaamo, which has clinics across Finland, to take.
The harm caused by the criminal hackers and the subsequent damage done to Vastaamo brand was simply too great, and the company announced this week that it had been placed in liquidation.
The company has come to an agreement with Verve, another psychotherapy practice based in Finland, that patients can continue to make appointments through them with their therapist or psychiatrist.
In the meantime, patients are being urged not to give in to the ransom demands, and report any communications they receive from the extortionists with the police.
In January, Finland’s social insurance institution Kela said that it was terminating its contract with Vastaamo – not because of the security breach, but due to an inspection discovering that some of the firm’s therapists were not adequately qualified.
According to data collected by security researcher Adrian Sanabria, Vastaamo is one of less than two dozen companies to have been ruined by a data breach, and “is the largest so far, at 400 employees.”