Therapy Patients Blackmailed For Cash After Clinic Data Breach (bbc.co.uk) 55
"Many patients of a large psychotherapy clinic in Finland have been contacted individually by a blackmailer, after their data was stolen," reports the BBC:
The data appears to have included personal identification records and notes about what was discussed in therapy sessions.
Vastaamo is a nationwide practice with about 20 branches and thousands of patients. The clinic has advised those affected to contact the police. It said it believed the data had been stolen in November 2018, with a further potential breach in March 2019... About 300 records have already been published on the dark web, according to the Associated Press news agency.
On its website, the clinic calls the attack "a great crisis". It has set up a helpline and is offering all victims one free therapy session, the details of which will not be recorded.
According to the article, the blackmailer claims Vastaamo refused to pay the 40 bitcoin ransom — so they are instead blackmailing individual patients.
And one patient even complained that while his therapist took notes in a physical notebook, "he had not been told these would be uploaded to a server."
Vastaamo is a nationwide practice with about 20 branches and thousands of patients. The clinic has advised those affected to contact the police. It said it believed the data had been stolen in November 2018, with a further potential breach in March 2019... About 300 records have already been published on the dark web, according to the Associated Press news agency.
On its website, the clinic calls the attack "a great crisis". It has set up a helpline and is offering all victims one free therapy session, the details of which will not be recorded.
According to the article, the blackmailer claims Vastaamo refused to pay the 40 bitcoin ransom — so they are instead blackmailing individual patients.
And one patient even complained that while his therapist took notes in a physical notebook, "he had not been told these would be uploaded to a server."
When will we learn? (Score:5, Insightful)
When will we learn?
If data should be kept private, it should never reside on any internet-connected computer. Not unless you've got a high-dollar team of security professionals with authority to override the CEO securing it. And preferably not even then.
Re: (Score:2)
how many violent sociopaths were contacted
Re: (Score:2)
Indeed my final thought is I hope the whole psychotherapy industry learns from this, learns that this kind of info should not be put onto computers at all. Or at the most stored only onto a USB stick encrypted and removed at the end of the therapy session.
Re: (Score:2)
It's not just the psychotherapy industry. A few years ago I did some work on a medical doctor's computer system - which involved several internet-connected Windows XP machines because the software they used didn't support even Windows 7, and they didn't want to pay the outrageous prices to upgrade something that was working fine.
I tried to convince them of what an outrageously bad idea that was, and I think I kinda got through since they let me replace the dead computer I was there for with a Window 10 sys
Re: When will we learn? (Score:1)
You must be a really bad tech because it was very easy and affordable to run winxp on Win7 pro with its virtual machine. Or better yet suggest a real VM.
Seriously, do you even IT?
Re: (Score:1)
You must be a really bad tech because it was very easy and affordable to run winxp on Win7 pro with its virtual machine. Or better yet suggest a real VM.
So this XP system, it has numerous ISA interfaces on a PC/104 bus to control and drive the machinery it is connected to, and one PCI (not express) card for the feedback sensors
The manufacturer has only 16 and 32 bit drivers that speak directly to low range IO ports in memory.
The hardware and software depend upon specific VIA timers. If the CPU is below 500MHz or above 600MHz, none of the hardware will work properly.
Please explain what setting in Virtual PC I use to make this work.
Also how do I load 16 bit
Re: (Score:2)
I wasn't their IT, I was their repair guy. And that's as close to IT as they got. You want to set up a VM environment that isn't begging to be screwed up by IT-less people who think running critical infrastructure on internet-connected XP is a good idea? Not to mention, it does limited good when you still need to connect the XP machine and their sensitive files to the internet for the software to work - virtualization is no magic bullet for security.
The fact that they had no dedicated IT (and I get the im
Re: (Score:2)
When will we learn?
If data should be kept private, it should never reside on any internet-connected computer.
Which is a fine sentiment in theory. In real life, the clinic is expected to use EHR software for all their records. In fact, I think the clinic gets financially penalized (reduced Medicare payments, or something) if they are *not* using EHR.
I've never seen a piece of EHR software that is not an absolute clusterfuck. And I've never seen one that didn't store patient information in the cloud.
(Aside from the obvious security issues, it's also horrible from a work-flow perspective. For example, with the cu
Re: (Score:3)
The human race falls into two groups: Those that have some real clue how IT works and those who do not. MDs are usually in the 2nd group but think they are in the first. Many other groups of "professionals" suffer from the same delusion.
When there is accountability. (Score:2)
These mistakes keep happening because the people responsible are not punished.
Proactive measures could have been taken to prevent this. But they cost money. It is much more profitable to roll the dice on a leak. So that's what people do.
And the teeming masses of consumers get all upset, and then come right back for more the very next day.
So, that's why this keeps happening.
Re: (Score:2)
Yep.
Even an an automatic fine of a paltry $1 per person whose information was exposed would provide incentive for the large companies to make sure the obvious holes stay plugged, but I'd much prefer to see something in the $10 - $100 range.
Of course, the real-world result would likely be that companies would do their best to hide the fact that they were hacked, depriving victims of the opportunity to engage in (hopefully) preemptive damage control. After all, it'd often be very difficult to prove where a v
What did they think was going to happen? (Score:1)
The patients agreed to have all their most secret information collected and put on a server. (I'm assuming they signed a consent form agreeing to the collection and storage of data) If you are foolish enough to agree to these terms, I'm sorry. You are a fool. Given enough time, a server run by a clinic is eventually going to leak information. The wonderful thing about computers is that it is possible to steal items of value without having to physically go to a location and "break and enter." In this case,
Re: (Score:1)
Often it's not possible or practical to negotiate on such details, it's all or nothing. For one, insurance co's often limit the selection of co's, and they rarely allow a la carte feature selection.
Re:What did they think was going to happen? (Score:5, Informative)
The patients agreed to have all their most secret information collected and put on a server.
From TFS:
And one patient even complained that while his therapist took notes in a physical notebook, "he had not been told these would be uploaded to a server."
Re: What did they think was going to happen? (Score:2)
"Shaina, they bought their tickets, they knew what they were getting into." *turns to camera* "I say, let them crash."
Re: (Score:1)
If you are foolish enough to agree to these terms, I'm sorry. You are a fool. .
Utter crap. Most of these victims (many of whom are childern) know nothing of IT security, or even the implications of what can be done with their personal data.
This is a dark day for Finland.
Re: (Score:3)
"The patients agreed..."
The patients of a psychotherapy clinic you mean? The victims of abuse, traumatic stress, mental disorders, and so forth... you want to blame THEM for this?
Re: (Score:2)
Question about company responsibility (Score:1)
Re: (Score:2)
Re: (Score:1)
IANAL, but yes, GDPR applies to Finland and GDPR is really strict about this. It says that unless the company that was breached can not prove that it was in any way responsible for the incident, it is responsible. For example if they bought the service from other company and they made a legal contract (required by GDPR) that root password must not be root, the company would still be responsible if they did not frequently check that they other company is following the contract.
We also already know that the c
Re: (Score:2)
root/root? That is, without any doubt, gross negligence. Hence they would not only be liable for any and all damage, they would also face criminal prosecution. That is if the "legal" system was willing.
Paper records? (Score:1)
WTF (Score:1)
Whether the patients knew it was on a server is a bit irrelevant, who really reads the 27 pages of micro-printing of disclodures. It is the responsibility of the owner of that information to keep it secure. The backmail is 40BC, that's around 1/2 a million USD! and all the company is going to do is give them a free session to make up for their incompetents!
Please!, that is insane, in some people's cases, this can ruin them at best, many it will push them into a downward spiral.
I really hope that law enforce
Re: (Score:1)
40 BC was the ransome to Vastaamo. The ransom to the actual clients was a "mere" $240 if paid promptly.
Buy hey, why let facts get in the way of your arguement.
But your comment about the downward spiral is spot on.
This ransom man is pure evil.
Many of the cases are children.
I can imagine things like (Score:3, Funny)
"Patient is here because he is paranoid about having his personal fears leaked to the internet"
Re: I can imagine things like (Score:1)
The point of failure ... (Score:2)
... is not the psychotherapy clinic. As always in these matters, it's the fucking gatekeepers.
Re: (Score:1)
I disagree. The point of failure is the clinic doing tings on the cheap, with no actual experts (which are expensive) involved, no security concept, no security testing, nothing. Somebody else here mentioned the root account had password "root". Negligence does not get more gross than this and however hired the person doing system administration shares that blame.
Re: (Score:2)
You think clinics change passwords on a fucking system? Seriously?
Have you ever worked in IT?
Re: (Score:2)
You think clinics change passwords on a fucking system? Seriously?
Have you ever worked in IT?
I did an IT audit for a large University hospital not too long ago. Not everybody is completely incompetent.
Re: (Score:2)
So, "no."
What the clinic did should be illegal. (Score:2)
Let economics fix this: require insurance (Score:5, Insightful)
Require companies that have personal data to be insured against the data being released. Amount depends on the nature of the data due to the damage it can cause. Say phone numbers / address ~10K$/address. Credit cards $25K/number. Medical data like this, that could have long term effects on someone's career, maybe $250K/person.
The its up to the company to convince their insurer that they are storing the data securely.
If somoene says, "what about Apple or Google who have hundreds of millions of records - that would be a trillion in liability". Yup. Maybe they shouldn't have those records.
Re: (Score:2)
So much this. Make personally identifiable data collection anathema to companies. Think that anonymizing the data is sufficient? It usually isn’t. Convince the insurance company otherwise. Want to understand trends? Great, use data collection methods such as differential privacy that allow you to gather data on trends without having the capacity to know what data pertained to a particular person (e.g. to give an imperfect example, have your app randomly flip half the users’ yes answers to no; be
Re: (Score:2)
Very much so. And more if anybody can demonstrate higher levels of damage. Nothing but insurers doing (hostile) audits of the IT security in place will fix this problem.
Re: (Score:2)
Don't you have such things as phone books, where people can look up phone numbers and addresses?
My guess is that a simple search will show phone number and address for >95% of all people if you just look it up, so don't see how these can be so secret.
Re: (Score:2)
I think I'm like many people in that my personal / cell phone number is intentionally listed anywhere. I
Re: (Score:1)
Re: (Score:2)
Of course. The point is that it make it expensive for companies to store this sort of information, so in a competitive market, those companies that store less information will tend to succeed.
What a bunch of motherfuckers. (Score:5, Insightful)
Let's not ignore the real psychos (Score:2)
I cannot help but laugh. Who is retarded enough to hide behind bitcoin, to believe disclosing patient information causes enough fear to give them leverage and then to talk psychiatrists into paying a ransom?
These have got to be kids, because only kids can be this dumb to believe their plan is going to work.
"I know where you live!" - Blackmailer
"Do you often talk about home?" - Psychiatrist
"Please do come for a visit." - Homicidal patient
Mass Data Obfuscation (Score:2)
Just like the average citizen struggling to determine what information on the Internet is legitimate, baddies will be overwhelmed so it all becomes tainted, especially since the people involved are anonym
Re: (Score:1)
It's often possible to cross-reference info to find out what's legitimate. Randomness lacks consistency, by definition.
Re: (Score:2)
Would have to be trivial to distinguish otherwise the system would be impossible to use.
The fake patients would have to have appointments etc, You would have to prevent them from showing up in scheduling, so somewhere there would be a flag or something to differentiate.
Re: (Score:2)
The bad guys would be wasting their time trying to sort the fake dumps from the real ones.
Re: (Score:2)
Adding noise to the dark web helps how? You are not going to be a trusted seller just another rando trying to prove themselves. That means needing working samples to establish some trust. It's not the 80's - 90's where people were just dumping the data in dark corners for bragging rights money is changing hands.
Re: (Score:2)
Re: (Score:2)
Groups/People need reputation to sell the data, you also have middle men getting larger dumps and selling off smaller pieces. Like I said it's no longer the 80-90s when people would release for the bragging rights now it's all profit motivated.
Re: (Score:2)
The person who did it is going down (Score:1)
No matter how many crypto "tumbling" or "shape-shifting" services the threat actor is planning to use, in the moment they convert the crypto to FIAT they will get caught, even if they try to use a p2p market.
The internet is not the wild west and this sub-human garbage will soon learn it the hard way.