Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Crime Privacy EU Security

Therapy Patients Blackmailed For Cash After Clinic Data Breach (bbc.co.uk) 55

"Many patients of a large psychotherapy clinic in Finland have been contacted individually by a blackmailer, after their data was stolen," reports the BBC: The data appears to have included personal identification records and notes about what was discussed in therapy sessions.

Vastaamo is a nationwide practice with about 20 branches and thousands of patients. The clinic has advised those affected to contact the police. It said it believed the data had been stolen in November 2018, with a further potential breach in March 2019... About 300 records have already been published on the dark web, according to the Associated Press news agency.

On its website, the clinic calls the attack "a great crisis". It has set up a helpline and is offering all victims one free therapy session, the details of which will not be recorded.

According to the article, the blackmailer claims Vastaamo refused to pay the 40 bitcoin ransom — so they are instead blackmailing individual patients.

And one patient even complained that while his therapist took notes in a physical notebook, "he had not been told these would be uploaded to a server."
This discussion has been archived. No new comments can be posted.

Therapy Patients Blackmailed For Cash After Clinic Data Breach

Comments Filter:
  • by Immerman ( 2627577 ) on Saturday October 31, 2020 @10:50AM (#60668960)

    When will we learn?

    If data should be kept private, it should never reside on any internet-connected computer. Not unless you've got a high-dollar team of security professionals with authority to override the CEO securing it. And preferably not even then.

    • by MrL0G1C ( 867445 )

      Indeed my final thought is I hope the whole psychotherapy industry learns from this, learns that this kind of info should not be put onto computers at all. Or at the most stored only onto a USB stick encrypted and removed at the end of the therapy session.

      • It's not just the psychotherapy industry. A few years ago I did some work on a medical doctor's computer system - which involved several internet-connected Windows XP machines because the software they used didn't support even Windows 7, and they didn't want to pay the outrageous prices to upgrade something that was working fine.

        I tried to convince them of what an outrageously bad idea that was, and I think I kinda got through since they let me replace the dead computer I was there for with a Window 10 sys

        • You must be a really bad tech because it was very easy and affordable to run winxp on Win7 pro with its virtual machine. Or better yet suggest a real VM.

          Seriously, do you even IT?

          • by Anonymous Coward

            You must be a really bad tech because it was very easy and affordable to run winxp on Win7 pro with its virtual machine. Or better yet suggest a real VM.

            So this XP system, it has numerous ISA interfaces on a PC/104 bus to control and drive the machinery it is connected to, and one PCI (not express) card for the feedback sensors
            The manufacturer has only 16 and 32 bit drivers that speak directly to low range IO ports in memory.

            The hardware and software depend upon specific VIA timers. If the CPU is below 500MHz or above 600MHz, none of the hardware will work properly.

            Please explain what setting in Virtual PC I use to make this work.
            Also how do I load 16 bit

          • I wasn't their IT, I was their repair guy. And that's as close to IT as they got. You want to set up a VM environment that isn't begging to be screwed up by IT-less people who think running critical infrastructure on internet-connected XP is a good idea? Not to mention, it does limited good when you still need to connect the XP machine and their sensitive files to the internet for the software to work - virtualization is no magic bullet for security.

            The fact that they had no dedicated IT (and I get the im

    • When will we learn?

      If data should be kept private, it should never reside on any internet-connected computer.

      Which is a fine sentiment in theory. In real life, the clinic is expected to use EHR software for all their records. In fact, I think the clinic gets financially penalized (reduced Medicare payments, or something) if they are *not* using EHR.

      I've never seen a piece of EHR software that is not an absolute clusterfuck. And I've never seen one that didn't store patient information in the cloud.

      (Aside from the obvious security issues, it's also horrible from a work-flow perspective. For example, with the cu

    • by gweihir ( 88907 )

      The human race falls into two groups: Those that have some real clue how IT works and those who do not. MDs are usually in the 2nd group but think they are in the first. Many other groups of "professionals" suffer from the same delusion.

    • These mistakes keep happening because the people responsible are not punished.

      Proactive measures could have been taken to prevent this. But they cost money. It is much more profitable to roll the dice on a leak. So that's what people do.

      And the teeming masses of consumers get all upset, and then come right back for more the very next day.

      So, that's why this keeps happening.

      • Yep.

        Even an an automatic fine of a paltry $1 per person whose information was exposed would provide incentive for the large companies to make sure the obvious holes stay plugged, but I'd much prefer to see something in the $10 - $100 range.

        Of course, the real-world result would likely be that companies would do their best to hide the fact that they were hacked, depriving victims of the opportunity to engage in (hopefully) preemptive damage control. After all, it'd often be very difficult to prove where a v

  • The patients agreed to have all their most secret information collected and put on a server. (I'm assuming they signed a consent form agreeing to the collection and storage of data) If you are foolish enough to agree to these terms, I'm sorry. You are a fool. Given enough time, a server run by a clinic is eventually going to leak information. The wonderful thing about computers is that it is possible to steal items of value without having to physically go to a location and "break and enter." In this case,

    • by Tablizer ( 95088 )

      The patients agreed to have all their most secret information collected and put on a server. (I'm assuming they signed a consent form agreeing to the collection and storage of data) If you are foolish enough to agree to these terms, I'm sorry. You are a fool.

      Often it's not possible or practical to negotiate on such details, it's all or nothing. For one, insurance co's often limit the selection of co's, and they rarely allow a la carte feature selection.

    • by CaptainDork ( 3678879 ) on Saturday October 31, 2020 @11:25AM (#60669084)

      The patients agreed to have all their most secret information collected and put on a server.

      From TFS:

      And one patient even complained that while his therapist took notes in a physical notebook, "he had not been told these would be uploaded to a server."

    • by nicnet ( 1232268 )

      If you are foolish enough to agree to these terms, I'm sorry. You are a fool. .

      Utter crap. Most of these victims (many of whom are childern) know nothing of IT security, or even the implications of what can be done with their personal data.
      This is a dark day for Finland.

    • by vux984 ( 928602 )

      "The patients agreed..."

      The patients of a psychotherapy clinic you mean? The victims of abuse, traumatic stress, mental disorders, and so forth... you want to blame THEM for this?

  • Comment removed based on user account deletion
  • May I ask slashsotters opinion of matter. In finnish news articles there has been suggested that the access was gained by entering root account with password: root. What would be the company responsibility with this low level of security? https://amp.reddit.com/r/Suomi... [reddit.com]
    • by esm88 ( 7392896 )
      IANAL, but Finland is part of the EU and therefore under GDPR.
      • by dvice ( 6309704 )

        IANAL, but yes, GDPR applies to Finland and GDPR is really strict about this. It says that unless the company that was breached can not prove that it was in any way responsible for the incident, it is responsible. For example if they bought the service from other company and they made a legal contract (required by GDPR) that root password must not be root, the company would still be responsible if they did not frequently check that they other company is following the contract.

        We also already know that the c

    • by gweihir ( 88907 )

      root/root? That is, without any doubt, gross negligence. Hence they would not only be liable for any and all damage, they would also face criminal prosecution. That is if the "legal" system was willing.

  • Personally, I think it's time that we stopped putting absolutely everything on computers. Only information critical to a patient's care need be stored on a server.
  • by jerzee ( 165610 )

    Whether the patients knew it was on a server is a bit irrelevant, who really reads the 27 pages of micro-printing of disclodures. It is the responsibility of the owner of that information to keep it secure. The backmail is 40BC, that's around 1/2 a million USD! and all the company is going to do is give them a free session to make up for their incompetents!

    Please!, that is insane, in some people's cases, this can ruin them at best, many it will push them into a downward spiral.

    I really hope that law enforce

    • by nicnet ( 1232268 )

      40 BC was the ransome to Vastaamo. The ransom to the actual clients was a "mere" $240 if paid promptly.
      Buy hey, why let facts get in the way of your arguement.
      But your comment about the downward spiral is spot on.
      This ransom man is pure evil.
      Many of the cases are children.

  • by Tablizer ( 95088 ) on Saturday October 31, 2020 @11:20AM (#60669068) Journal

    "Patient is here because he is paranoid about having his personal fears leaked to the internet"

  • ... is not the psychotherapy clinic. As always in these matters, it's the fucking gatekeepers.

    • by gweihir ( 88907 )

      I disagree. The point of failure is the clinic doing tings on the cheap, with no actual experts (which are expensive) involved, no security concept, no security testing, nothing. Somebody else here mentioned the root account had password "root". Negligence does not get more gross than this and however hired the person doing system administration shares that blame.

  • Putting this kind of information on a publicly networked computer system should be illegal, period. There is no reason why electronic systems used for this purpose shouldn't be protected by the use of privately networked computers protected by FDE (TPM+PIN) and Active Directory (LDAP+Kerberos) user credentials, with each therapist using EFS (asymmetric per-file encryption) to make sure their notes are only readable to them, appropriately authorised managers and potentially (in emergencies) trusted members o
  • by joe_frisch ( 1366229 ) on Saturday October 31, 2020 @11:47AM (#60669156)

    Require companies that have personal data to be insured against the data being released. Amount depends on the nature of the data due to the damage it can cause. Say phone numbers / address ~10K$/address. Credit cards $25K/number. Medical data like this, that could have long term effects on someone's career, maybe $250K/person.

    The its up to the company to convince their insurer that they are storing the data securely.

    If somoene says, "what about Apple or Google who have hundreds of millions of records - that would be a trillion in liability". Yup. Maybe they shouldn't have those records.

    • So much this. Make personally identifiable data collection anathema to companies. Think that anonymizing the data is sufficient? It usually isn’t. Convince the insurance company otherwise. Want to understand trends? Great, use data collection methods such as differential privacy that allow you to gather data on trends without having the capacity to know what data pertained to a particular person (e.g. to give an imperfect example, have your app randomly flip half the users’ yes answers to no; be

    • by gweihir ( 88907 )

      Very much so. And more if anybody can demonstrate higher levels of damage. Nothing but insurers doing (hostile) audits of the IT security in place will fix this problem.

    • Don't you have such things as phone books, where people can look up phone numbers and addresses?

      My guess is that a simple search will show phone number and address for >95% of all people if you just look it up, so don't see how these can be so secret.

    • Hopefully, you're aware who pays the hefty price for that kind of insurance in the end? Hint: It is not the shop/bank/clinic...
      • Of course. The point is that it make it expensive for companies to store this sort of information, so in a competitive market, those companies that store less information will tend to succeed.

  • by AndyKron ( 937105 ) on Saturday October 31, 2020 @11:52AM (#60669172)
    Offering all victims one free therapy session, the details of which will not be recorded? Seriously? What a bunch of motherfuckers. I bet they record too because that's what motherfuckers do.
  • I cannot help but laugh. Who is retarded enough to hide behind bitcoin, to believe disclosing patient information causes enough fear to give them leverage and then to talk psychiatrists into paying a ransom?

    These have got to be kids, because only kids can be this dumb to believe their plan is going to work.

    "I know where you live!" - Blackmailer
    "Do you often talk about home?" - Psychiatrist
    "Please do come for a visit." - Homicidal patient

  • Would this work: Almost constantly dump fake information "breaches" onto the dark web. That is, use real information that is already easily obtained and public, perhaps, but mixed with data that is false--fake social security numbers, credit card numbers, phone numbers, medical histories, you name it.

    Just like the average citizen struggling to determine what information on the Internet is legitimate, baddies will be overwhelmed so it all becomes tainted, especially since the people involved are anonym
    • by Tablizer ( 95088 )

      It's often possible to cross-reference info to find out what's legitimate. Randomness lacks consistency, by definition.

    • Would have to be trivial to distinguish otherwise the system would be impossible to use.

      The fake patients would have to have appointments etc, You would have to prevent them from showing up in scheduling, so somewhere there would be a flag or something to differentiate.

      • by kackle ( 910159 )
        Perhaps I wasn't clear: If I make a fake breach dump made up of legitimate names, addresses and phone numbers from local phone books, and then add false, random credit card numbers to that database and posted it somewhere, no one would know it's bogus until they tried to use it. Minutes later, post another fake dump. At random intervals, under random usernames, keep posting more of them, repeatedly, forever.

        The bad guys would be wasting their time trying to sort the fake dumps from the real ones.
        • Adding noise to the dark web helps how? You are not going to be a trusted seller just another rando trying to prove themselves. That means needing working samples to establish some trust. It's not the 80's - 90's where people were just dumping the data in dark corners for bragging rights money is changing hands.

          • by kackle ( 910159 )
            I guess I'm ignorant here. Are the same dark web users repeatedly selling newfound information? I assumed it would be different dumps by different users every time.
            • Groups/People need reputation to sell the data, you also have middle men getting larger dumps and selling off smaller pieces. Like I said it's no longer the 80-90s when people would release for the bragging rights now it's all profit motivated.

  • The Finnish IT cyber security community has put a bounty on this threat actor's head. They are going down.

    No matter how many crypto "tumbling" or "shape-shifting" services the threat actor is planning to use, in the moment they convert the crypto to FIAT they will get caught, even if they try to use a p2p market.

    The internet is not the wild west and this sub-human garbage will soon learn it the hard way.

Keep up the good work! But please don't ask me to help.

Working...