Hackers rummaged about in Finnish psychotherapy clinic – now patients extorted with public data dump threats A Finnish psychotherapy centre was hit by hackers who stole therapy session notes – before threatening patients of the clinic with ransom demands amid selective dark web leaks of stolen material. "Psychotherapy Center Vastaamo has been the victim of data breaches and blackmail," said the Helsinki-based clinical chain late last …
It strikes me that there is an opportunity to render Bitcoin payments to extortionists useless, since the offending accounts and their transactions can be trivially identified because they are public, even if the physical owners aren't.
Some de-anonymisation can of course be done since users usually have to reveal their identity in order to receive many services or goods - but more to the point all you need is for financial regulators to maintain a public list of blacklisted bitcoin accounts, and anyone who accepts coinage that has ever passed through a blacklisted account would simply be added to the blacklist. i.e. unlike real money, I think this traceability means bitcoin cannot be "laundered".
Search for bitcoin mixers / tumblers. Enough passes through enough of these services and as I understand it the privacy sensitive scuzzballs can effective launder BTC
These launderers could read the blacklist like anyone else. If they chose not to, then I guess their business would become nonviable as their customers desert them for fear of being blacklisted themselves.
...Target and exploit the details of some of our most vulnerable fellow human beings for financial gain. Ransomware hackers are scumbags at the best of times but, even for them, this is low... If this encourages even one person to choose to avoid seeking psychological help for an issue, rather than risk having details of their mental health put up for sale or made public (there is a huge amount of stigma attached to mental health in many societies) then these bastards deserve jail time.
They weren't "accessible online" in the sense that you could go to the web site of the clinic and find them.
They were stored in a computer that was connected to the Internet, and obtained through hacking.
Since hacking exists, storing them in a computer connected to a net4work with an Internet connection was indeed irresponsible, but a lot of people don't yet realize that. Of course, that wouldn't be true if computers were genuinely secure, but that's not what we have now.
The story isn't really clear in this point, but implies the records were stored in a database. Perhaps part of a document storage system or a medical records system such as Epic?
If so, I'm wondering if this really a "hack" or just someone logging in to the system through a web portal.
Look, if I'm going to go to a therapist to get help with my hedgehog fetish, I sure hope they just keep my notes in a filing cabinet somewhere (disused lavatory?) and don't type/scan them into some database. Sure, someone can physically break in to the filing cabinet, and the files can be lost in a fire or whatever, but I have a hard time imagining what the benefit of computerization here is. (Also, as the stereotype goes, no one else can even read the doctor's handwriting.)
That may be your hope, but in the US the reality is that your medical records are going to be stored electronically.
I am unaware of any HIPAA rules that exempt any sensitive records, since they are all considered to be sensitive. To the contrary, it seems that CMS (government overseer) has been pushing to get everything stored electronically.
* I spent the last decade of my career working with those systems, but someone may have better insight on those HIPAA rules.
I think there should be a law that says ALL personal information has to be stored encrypted and the encryption keys stored seperatly.
I do understand that the bad guys probably had full control over all the devices making this more difficult.
I purchased a used 500Gb external dfrive from a computer recycling center here in town and when I ran the open-source recovery program PhotRec I recovered several years of medical records.
When I tried to return the drive to the recycling center the "IT" guy refused to give me the contact information of the owner and even tried doing a Jedi mind trick telling me that I did not purchase the drive there even though I had a receipt and used my debit card for purchase showing the name of the recycling center with time stamps.
It was failures all the way down.
The data should have been stored on an encrypted partition by the medical personnel that had it first and the "IT" guy at the computer recycling center should have wiped the drive properly.
I think there should be a law that says ALL personal information has to be stored encrypted and the encryption keys stored seperately.
Usually this is accomplished through high profile lawsuits for when people fail to do it voluntarily...
(so I have my doubts whether a law would make a difference)
A general "data protection" regulation (assuming it does not already exist) MIGHT help, but I expect that one (or more) already exists by now.
When I tried to return the drive to the recycling center the "IT" guy refused to give me the contact information of the owner and even tried doing a Jedi mind trick telling me that I did not purchase the drive there even though I had a receipt and used my debit card for purchase showing the name of the recycling center with time stamps
.
That's hilarious.
Err, why was it necessary to run the recovery program?
One assumes the disk was bought to use, not find out what was on it....
Yes, it should have been securely erased or just destroyed but that is the contract the company that disposed of the equipment and the recycler. They were correct in not giving you the details. The fact the probably do nothing at all is a different issue.
It's a most heinous crime exploiting the most vulnerable. I hope the victims are compensated upfront with needing to take legal action. To the victims all I can advise is don't be 'victim shamed', there is no shame in mental health issues today - and certainly don't pay the scum.
I've mentioned this before because it's funny. I asked my health centre to send all my NHS records to my encrypted account. Instead, for security(?) they printed them out and posted them to my neighbour.
The problem with your suggestion is that compensation may be impossible. If someone's therapy concerned relationships with identifiable living people who get to see the information the damage may be done and irreversible. Yes, the victims should receive compensation, but that may not be anything like enough.
Firstly, I should say that I'm a retired old f*rt, with a completely uninteresting LAN at home.
*
In the last month, there have been two fairly serious attempts by unknown actors to log on to my FTP server. I know this because the Linux box in question has pretty extensive logging enabled. It looks to me (note: not a qualified security expert, just a retired old f*rt) that someone used whois to get a list of BT IP addresses and instructed a robot to try it on with each and every BT IP address. My tiny personal Linux LAN was clearly not an obvious target....probably not a target at all.
*
To get to the point....if people running professional services businesses (like a Finnish psychotherapy clinic) DON'T KNOW that this sort of thing is going on day in and day out on the internet -- with random probing being done by who-knows-who.......then they clearly need professional help! And they are clearly not doing much to protect their customers.
*
One wonders just how much slack security there is out there......probably MUCH MORE than we ever hear about.
*
(P.S. The FTP server has been removed completely. The robots and script kiddies can have a go at the replacement -- sshd and sftp.)
The IPv4 space is not that big. There are millions of bots constantly scanning it for vulnerable hosts, including SSH hosts.
I ended up with a cryptominer in a computer of mine once. Silliest thing, I was testing something and had created a temporary account "dev" / "dev" or some such, which I then forgot to delete. Of course, that account like every other in the system was accessible via SSH, and which such an uncommon username and secure choice of password you can guess what happened.
Since then, on all computers that I manage I create a new "sshusers" group and only users which are members of it (and have secure passwords) are allowed in via SSH.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
