A threat actor has penetrated vulnerabilities of a psychotherapy clinic and is threatening to release therapy notes of patients after successful breaches between November 2018 and March 2019. The Finnish clinic, Vastaamo, noticed this behavior at the end of September 2020, but the behavior was only noticed because the threat actor contacted Vastaamo’s employees communicating an extortion demand. There is no clear indicator of compromise at this point in time, but Vastaamo claims it has been asked to send $530,000 worth of bitcoin in order to prevent data from the public domain. As a consequence of this cyberattack, a leader in the organization has been removed.

On top of the employee communication, the threat actor going by the alias “ransom_man” has directly contacted some patients of the clinic for payments of up to $240. As the patients file individual police reports about the ransom demands and attack, they have been instructed not to pay ransoms given the likelihood of their data already being available on the dark web.

Although, Vastaamo has engaged with a private security firm, its data has already been exposed. At least 300 patient names and contact information have been published but this number could be in the thousands. It is important to take a step back and understand Vastaamo’s breaches between November 2018 and March 2019. It is often thought threat actors attack you once and move on, but this is not always true. Threat actors can continually poke at your organization until there is no possible way to infiltrate the network and environment.

Small and medium sized organizations like Vastaamo are not always as protected as they claim. They usually lack the budget and capabilities to protect themselves. Vastaamo said their information systems are “highly secure,” but this comes as another reminder that cyber protection, for any organization, is completely necessary.

Patient information is always crucial, but this situation is different than most healthcare attacks. Vastaamo’s patient policy requires that they keep patient notes for at least 12 years before erasing. The fact that this type of data is kept this long only increases the likelihood of it being accessed during a breach. On top of this, the notes could be from private sessions – something the patients have no desire of another person seeing. As mentioned above, many patients are seeking help from police as this stressful situation ensues. The threat actor, “ransom_man”, has and is threatening to publish this sensitive information on a Tor site where many dark web users can access.

A patient received an email on October 24 from the threat actors demanding €200 in bitcoin. If the patient didn’t pay within 24 hours, the threat actor would increase it to €500. If the individual refused, their conversations with the therapist would be made public. Patients are terrified of not only knowing their intimate conversations are out there, but also how it has long-term affects of family members and stolen identity.

Even though some threat groups have promised not to target healthcare facilities amidst the global pandemic, some are still obviously taking advantage of the situation. They have, in fact, targeted hospitals, urgent cares and physician offices during this time.

It is not yet known what threat group is behind this attack, but this is besides the fact. The point is for all endpoints to be monitored and secured when holding sensitive and confidential information. SpearTip’s ShadowSpear® Memory Injection Prevention module prevents attacks like this on networks. Our cybersecurity professionals are always on alert for malware and manipulative programs by building cases on the threat groups and actors that are encountered on a daily basis. Our 24/7 Security Operations Center (SOC) is complete with certified security engineers to monitor and protect your environment. Not only are they continuously preventing cyberattacks, but they can also deploy our proprietary tool, ShadowSpear® in your environment before or after an attack.