Two security incidents have been recorded at a Helsinki clinic

Patients at a Finnish mental health clinic are allegedly being blackmailed after a data breach

Patients seeking mental health services at Vastaamo clinic in Helsinki are being blackmailed following two suspected data breaches.

Cyber-attackers reportedly stole personally identifiable information (PII) belonging to patients and are now blackmailing both the organization and individuals affected.

Hundreds, potentially thousands, of people appear to have had their records stolen, local media reports. Many patients received care paid for by Finnish Social Security (Kela).

Vastaamo said that it is “likely” that the clinic’s systems were first accessed in November 2018, and then between the end of November 2018 and March 2019.

Read more of the latest data breach news

Clinical records are reportedly being published daily on the dark web, and the attackers do not intend to stop until they are paid €450,000 ($530,000) in bitcoin.

It also appears that those responsible are contacting individuals with extortion demands of between €200-500 in bitcoin in return for the deletion of their private records.

Names, email addresses, and telephone numbers belonging to both adults and minors are reportedly compromised, as well as notes relating to therapy sessions.

F-Secure chief research officer Mikko Hyppönen, who is based in Finland, said therapist session notes belonging to 300 patients had been leaked online.

RECOMMENDED Anatomy of a healthcare data breach dissected

An emergency meeting was held by cabinet members at Finland’s interior ministry on Sunday to discuss the cybersecurity incident. Finland’s president, Sauli Niinisto, called the blackmail “cruel” and “repulsive”.

In a statement posted to the firm’s website (translated), Vastaamo said the “emergency caused by the crisis is great”.

Vastaamo said law enforcement is investigating and other organizations in the sector are also offering crisis support.

Those contacted by the threat actors are urged not to pay the ransom and to file a report with the police.

The Daily Swig has reached out to Vastaamo with additional queries and will update accordingly.

YOU MAY ALSO LIKE US healthcare provider pays $5 million in 2014 data breach settlement