back to article Hackers rummaged about in Finnish psychotherapy clinic – now patients extorted with public data dump threats

A Finnish psychotherapy centre was hit by hackers who stole therapy session notes – before threatening patients of the clinic with ransom demands amid selective dark web leaks of stolen material. "Psychotherapy Center Vastaamo has been the victim of data breaches and blackmail," said the Helsinki-based clinical chain late last …

  1. Dinanziame Silver badge
    Meh

    Charming

    The best part about paying for blackmail is that you are signalling your willingness to pay in order to remain hidden. That's a great opportunity for repeat business from the blackmailer's point of view.

    1. Anonymous Coward
      Happy

      Just a thought

      It strikes me that there is an opportunity to render Bitcoin payments to extortionists useless, since the offending accounts and their transactions can be trivially identified because they are public, even if the physical owners aren't.

      Some de-anonymisation can of course be done since users usually have to reveal their identity in order to receive many services or goods - but more to the point all you need is for financial regulators to maintain a public list of blacklisted bitcoin accounts, and anyone who accepts coinage that has ever passed through a blacklisted account would simply be added to the blacklist. i.e. unlike real money, I think this traceability means bitcoin cannot be "laundered".

      1. Anonymous Coward
        Anonymous Coward

        Re: Just a thought

        Search for bitcoin mixers / tumblers. Enough passes through enough of these services and as I understand it the privacy sensitive scuzzballs can effective launder BTC

        1. Anonymous Coward
          Anonymous Coward

          Re: Just a thought

          Search for bitcoin mixers / tumblers. Enough passes through enough of these services and as I understand it the privacy sensitive scuzzballs can effective launder BTC

          These launderers could read the blacklist like anyone else. If they chose not to, then I guess their business would become nonviable as their customers desert them for fear of being blacklisted themselves.

  2. mad_dr
    Thumb Down

    Wonderful...

    ...Target and exploit the details of some of our most vulnerable fellow human beings for financial gain. Ransomware hackers are scumbags at the best of times but, even for them, this is low... If this encourages even one person to choose to avoid seeking psychological help for an issue, rather than risk having details of their mental health put up for sale or made public (there is a huge amount of stigma attached to mental health in many societies) then these bastards deserve jail time.

    1. John Savard

      Re: Wonderful...

      Of course they do. We just have to persuade Russia to find them.

      Nobody in his right mind living in a country with respect for the law would try a stunt like this.

      1. bombastic bob Silver badge
        Unhappy

        Re: Wonderful...

        amazingly enough, criminals think like criminals, and are often arrogant and brazenly open in their defiance of the law.

        this is who we're dealing with: criminals. laws discourage more honest people from misbehaving.

        criminals need to be INCARCERATED.

        1. Anonymous Coward
          Anonymous Coward

          Re: Wonderful...

          'criminals need to be INCARCERATED.'

          Sometime yes, sometimes not, and always where appropriate (I would say in pretty much all cases) given the option and resources to enable rehabilitation.

          Fuck off Bob.

        2. jvf

          Re: Wonderful...

          Criminals like THESE are the reason the death penalty should remain on the books, especially when some distraught victim commits suicide.

        3. Rustbucket

          Re: Wonderful...

          >criminals need to be INCARCERATED.

          Criminals have to be CAUGHT FIRST.

          1. John Doe 12

            Re: Wonderful...

            criminals need to be INCINERATED.

            Which is what I read this as in my first glance - in this case I think it's more correct!!

      2. Claverhouse Silver badge

        Re: Wonderful...

        So all the world's criminals living in law-abiding countries are somehow Russia's fault ? They are responsible for the millions of Florida Man people America breeds like rabbits ?

  3. Woodnag

    Confuse I be

    How come the therapy notes were accessible online anyway?

    1. John Savard

      Re: Confuse I be

      They weren't "accessible online" in the sense that you could go to the web site of the clinic and find them.

      They were stored in a computer that was connected to the Internet, and obtained through hacking.

      Since hacking exists, storing them in a computer connected to a net4work with an Internet connection was indeed irresponsible, but a lot of people don't yet realize that. Of course, that wouldn't be true if computers were genuinely secure, but that's not what we have now.

      1. Imhotep

        Re: Confuse I be

        The story isn't really clear in this point, but implies the records were stored in a database. Perhaps part of a document storage system or a medical records system such as Epic?

        If so, I'm wondering if this really a "hack" or just someone logging in to the system through a web portal.

        1. Simian Surprise

          Re: Confuse I be

          Look, if I'm going to go to a therapist to get help with my hedgehog fetish, I sure hope they just keep my notes in a filing cabinet somewhere (disused lavatory?) and don't type/scan them into some database. Sure, someone can physically break in to the filing cabinet, and the files can be lost in a fire or whatever, but I have a hard time imagining what the benefit of computerization here is. (Also, as the stereotype goes, no one else can even read the doctor's handwriting.)

          1. Imhotep

            Re: Confuse I be

            That may be your hope, but in the US the reality is that your medical records are going to be stored electronically.

            I am unaware of any HIPAA rules that exempt any sensitive records, since they are all considered to be sensitive. To the contrary, it seems that CMS (government overseer) has been pushing to get everything stored electronically.

            * I spent the last decade of my career working with those systems, but someone may have better insight on those HIPAA rules.

            1. a_builder

              Re: Confuse I be

              Maybe not have heard of EAR (Encryption At Rest)?

              That should sort these kind of database siphoning attempts.

              Ok you need a slightly more powerful processor for dynamic description......

          2. Flywheel

            Re: Confuse I be

            no one else can even read the doctor's handwriting

            I'm no doctor but my handwriting's pretty bad after years of keyboard pounding. With Apple's latest iPadOS update and the introduction of Scribble I'm really impressed that it interprets my scrawl so well!

    2. cd

      Re: Confuse I be

      Whoever thought that was a good idea should have their head examined.

    3. VonCede

      Re: Confuse I be

      On a SQL server, without firewall, protected by login "root", password "root".

      Vastaamo was not connected to public health services's IT, so their IT were not audited by third party.

  4. Anonymous Coward
    Anonymous Coward

    encryption

    I think there should be a law that says ALL personal information has to be stored encrypted and the encryption keys stored seperatly.

    I do understand that the bad guys probably had full control over all the devices making this more difficult.

    I purchased a used 500Gb external dfrive from a computer recycling center here in town and when I ran the open-source recovery program PhotRec I recovered several years of medical records.

    When I tried to return the drive to the recycling center the "IT" guy refused to give me the contact information of the owner and even tried doing a Jedi mind trick telling me that I did not purchase the drive there even though I had a receipt and used my debit card for purchase showing the name of the recycling center with time stamps.

    It was failures all the way down.

    The data should have been stored on an encrypted partition by the medical personnel that had it first and the "IT" guy at the computer recycling center should have wiped the drive properly.

    1. bombastic bob Silver badge
      Meh

      Re: encryption

      I think there should be a law that says ALL personal information has to be stored encrypted and the encryption keys stored seperately.

      Usually this is accomplished through high profile lawsuits for when people fail to do it voluntarily...

      (so I have my doubts whether a law would make a difference)

      A general "data protection" regulation (assuming it does not already exist) MIGHT help, but I expect that one (or more) already exists by now.

      1. Flywheel

        Re: encryption

        Makes me wonder why they don't just issue everyone that needs access to the data with something like a Yubikey or other physical token? It can be worn around the neck and is easy to replace if lost.

    2. Claverhouse Silver badge

      Re: encryption

      When I tried to return the drive to the recycling center the "IT" guy refused to give me the contact information of the owner and even tried doing a Jedi mind trick telling me that I did not purchase the drive there even though I had a receipt and used my debit card for purchase showing the name of the recycling center with time stamps

      .

      That's hilarious.

    3. hoola Silver badge

      Re: encryption

      Err, why was it necessary to run the recovery program?

      One assumes the disk was bought to use, not find out what was on it....

      Yes, it should have been securely erased or just destroyed but that is the contract the company that disposed of the equipment and the recycler. They were correct in not giving you the details. The fact the probably do nothing at all is a different issue.

  5. Pascal Monett Silver badge

    "A crisis hotline was made available for victims [..] to access support and therapy"

    Pray tell, are they going to be directed to the same clinic that got them in this mess in the first place ?

    1. Anonymous Coward
      Anonymous Coward

      Re: "A crisis hotline was made available for victims [..] to access support and therapy"

      Even worse, are they prompted to leave a phone message....?

      Looking at you Murdoch!

  6. Danny 2

    It's a most heinous crime exploiting the most vulnerable. I hope the victims are compensated upfront with needing to take legal action. To the victims all I can advise is don't be 'victim shamed', there is no shame in mental health issues today - and certainly don't pay the scum.

    I've mentioned this before because it's funny. I asked my health centre to send all my NHS records to my encrypted account. Instead, for security(?) they printed them out and posted them to my neighbour.

    1. Eclectic Man Silver badge

      compensation?

      The problem with your suggestion is that compensation may be impossible. If someone's therapy concerned relationships with identifiable living people who get to see the information the damage may be done and irreversible. Yes, the victims should receive compensation, but that may not be anything like enough.

  7. Anonymous Coward
    Anonymous Coward

    Hacking Example......

    Firstly, I should say that I'm a retired old f*rt, with a completely uninteresting LAN at home.

    *

    In the last month, there have been two fairly serious attempts by unknown actors to log on to my FTP server. I know this because the Linux box in question has pretty extensive logging enabled. It looks to me (note: not a qualified security expert, just a retired old f*rt) that someone used whois to get a list of BT IP addresses and instructed a robot to try it on with each and every BT IP address. My tiny personal Linux LAN was clearly not an obvious target....probably not a target at all.

    *

    To get to the point....if people running professional services businesses (like a Finnish psychotherapy clinic) DON'T KNOW that this sort of thing is going on day in and day out on the internet -- with random probing being done by who-knows-who.......then they clearly need professional help! And they are clearly not doing much to protect their customers.

    *

    One wonders just how much slack security there is out there......probably MUCH MORE than we ever hear about.

    *

    (P.S. The FTP server has been removed completely. The robots and script kiddies can have a go at the replacement -- sshd and sftp.)

    1. Anonymous Coward
      Anonymous Coward

      How I got hacked

      The IPv4 space is not that big. There are millions of bots constantly scanning it for vulnerable hosts, including SSH hosts.

      I ended up with a cryptominer in a computer of mine once. Silliest thing, I was testing something and had created a temporary account "dev" / "dev" or some such, which I then forgot to delete. Of course, that account like every other in the system was accessible via SSH, and which such an uncommon username and secure choice of password you can guess what happened.

      Since then, on all computers that I manage I create a new "sshusers" group and only users which are members of it (and have secure passwords) are allowed in via SSH.

  8. Anonymous Coward
    Anonymous Coward

    Batman

    If they found Batman's files. Maybe he will find the hacker, and give him some therapy.

    If he gets arrested in the UK, they might give him a 1/2 hour detention and an ice-cream. Beside it's only a computer crime, nobody got hurt <end sarcasm>

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like