Vastaamo breach, bankruptcy indicate troubling trend

First came the breach, then came the blackmail; now the Vastaamo Psychotherapy Centre has closed its doors for good.

Four months after revealing it suffered a data breach in which patient records were stolen, Finland's largest psychotherapy center has declared bankruptcy. A significant part of the incident occurred after threat actors attempted to extort the center and threatened to release confidential therapy notes and sessions. When Vastaamo refused to pay the ransom, threat actors started blackmailing victims directly.

In a statement on its website, Vastaamo said the bankruptcy is a direct result of the data breach and blackmailing of patients.

"Vastaamo has been subjected to data breaches and blackmail. Unfortunately, the situation and its handling, as well as the uncertainty that followed the events, have driven the company into insolvency and Vastaamo has filed for bankruptcy on 11 February 2021," the statement said (translated from the original Finnish).

SearchSecurity reached out to Vastaamo on how victims being extorted directly had affected the center. "Both Vastaamo and the individuals are victims of hacking and extortion, and obviously with grave impacts," a spokesperson said in an email to SearchSecurity.

Infosec experts say this may become a trend.

In a live webinar on Tuesday titled "Attackers get personal: Email, blackmail and how healthcare data become prime target to cyber attacks," F-Secure chief research officer Mikko Hypponen said hackers stole the private therapy notes of 31,980 patients and then "after failing to blackmail the therapy to pay a ransom, started blackmailing patients directly themselves." That, along with other reasons, make this case rare.

According to Hypponen, F-Secure has a handful of cases where they know blackmailers steal medical information, but even less where they start blackmailing patients. Another rarity: going bankrupt directly as a result of this attack.

"When we look at the history of big hacks, companies suffer but they rarely fold. Companies survive even massively large hacks -- the CEOs, CISOs get fired all the time -- but in general, companies survive. Even in cases where you think there's no way they can survive -- like Ashley Madison, Sony Pictures, Equifax, Yahoo. Of course, there are companies that didn't survive. Vastaamo isn't the only one, but it's surprisingly rare," he said during the webinar. "In general, it doesn't happen."

The original breach occurred in 2018 and impacted tens of thousands of Vastaamo patients. As of November, 25,000 criminal reports had been submitted to Finland police. However, Marko Leponen, detective chief inspector at Finland's National Bureau of Investigation, told SearchSecurity in an email that while they don't have exact numbers, they believe only 10 to 20 victims actually paid the ransoms. Additionally, Leponen said as far as they know, the extortion attempts ceased after the initial weeks following the breach disclosure.

While it is unknown why threat actors stopped extorting victims, Malwarebytes researcher Pieter Arntz said there is speculation that they exaggerated the number of patient files they had access to because the stopped publishing patient data online after the first 200 samples.

"Or there is the distinct possibility their conscience finally kicked in," he said in an email to SearchSecurity.

Instances like the Sony Pictures hack, the Ashley Madison dating site breach and other enterprise breaches that Hypponen referenced resulted in larger consequences, but as he said, they survived. Two major differences with Vastaamo is the sensitive medical information and blackmailing of victims directly, which Hypponen said may become a trend.

Prior to learning of the Vastaamo hack, Hypponen said he believed that most attackers are motivated by financial information.

"If you're trying to make money with your criminal attacks, medical information is not a very good target for you. Well turns out, I might have been wrong," he said during the webinar. "It might be now the case that we are seeing the beginning of the next trend -- a trend where medical information is becoming a prime target for financially motivated criminals. They might not just be blackmailing the organization with the encryption of data, but the patients themselves."

Jared Phipps, senior vice president at SentinelOne, told SearchSecurity that if the attack proves profitable, then it will become a trend.

"We have already seen them blackmailing organizations in several ways. First is the ransomware event. Second is telling victims, after the ransom has been paid that they have altered data and they need to pay for that to be cleaned up, which did not work. Now we see this. It's just a constant evolution of attackers looking for ways to make money -- if they make money on this one you will see it happen again and again," he said in an email to SearchSecurity.

On the other hand, Kaspersky Lab researcher Kurt Baumgartner told SearchSecurity the trend has already started.

"In the JPMorgan breaches of 2014, the criminals targeted the bank's high-wealth customers. There are other examples since then, so we have seen this sort of customer targeting before. Do I think blackmailing health care customers will become a trend? I think that it already happens, but for now, it seems a fairly niche phenomenon," he said in an email to SearchSecurity.

Hypponen said it may actually be two different trends combining for what he refers to as "ransomware 2."

"Not just encrypting but stealing the information and blackmailing. It was started in just January 2020 by Maze. It's an effective way of getting money from organizations even if the organizations have good backups. Maze made so much, they retired," he said during the webinar. "If data is stolen and running a leak site, it's a hard position and this is the reason why we've seen over the last year companies pay the ransom more than ever. One reason companies pay these ransoms is medical information. They can't afford this information to be posted on the public web, so they pay."

In this case, Vastaamo did not pay, but some victims did. It is unclear if victims paying directly had any effect on the therapy center declaring bankruptcy. Arntz said the press release states that taking care of the aftermath cost Vastaamo so much that the liquidation process likely led to the bankruptcy. "It's also important to realize that they could be facing a considerable GDPR fine if they were found to be careless with their customer data," he said in an email to SearchSecurity.

According to Vastaamo's statement, the "liquidator has entered into a preliminary agreement to sell the business to Verve," a nationwide provider of occupational welfare services. Verve released a statement Feb. 2 which said it "entered into a preliminary agreement to acquire the psychotherapy business of psychotherapy center Vastaamo."

Leponen said the investigation will continue even if the therapy center collapses.