Sensitive personal information from psychotherapy centers going astray. Patients are...

On Sunday, the Finnish government will hold a crisis meeting on the growing scandal.

Hackers have broken into the database of Vastaamo, a private company that offers talk therapy to thousands of patients in Finland.

Sensitive information from the psychotherapy center must have been leaked on the Tor network, also called the dark network. Now more patients are under pressure for money.

According to Finnish media, so far we know 300 people which has had sensitive information leaked. The numbers can be much higher.

In addition to information such as name, address and social security number, the leak must also contain medical records and what the patients have said to the therapists during the lessons.

In recent days, several patients have received emails asking for money.

The well-known parliamentarian Eeva-Johanna Eloranta has, among other things, been demanded to pay 500 euros in bitcoin for confidential information to be deleted.

Tens of thousands may be affected

The exact extent of the scandal is not known, but thousands of people are said to be affected.

Estimates suggest that 40,000 patients may be affected in total.

Tuomas Kahri is the general manager of the company Vastaamo, which has offices in 20 different places in the country.

He says that the Finnish criminal police are investigating the case.

Kahri did not want to reveal how much personal information was leaked. Ei or when the actual burglary in the database should have occurred.

On the company’s website, however, Vastaamo writes that information from the time after November 2018 must be secure.

The psychotherapy center states that it has not been possible to release information about the incident earlier due to the police investigation.

Cursed and disappointed

Vastaamo is criticized in the Finnish press for not informing their customers earlier and better. Patients complain that they have to read in the press to get information about the incident, rather than getting information directly from the therapy center.

The Finnish Minister of Social Affairs writes on twitter that they are looking for ways to help the victims of the hacking.

Finnish Yle, similar to NRK in Norway, has spoken to a person affected by the blackmail. The person in question thinks it is terrible how badly the therapy company has handled the incident.

– I am cursed and disappointed, the person in question continues.

In the future, I will think carefully about which agencies have information about me and how they handle it.

The person must have received a demand to pay 200 euros in bitcoin within 24 hours. If not, the sum would increase to 500 euros. If the victim did not pay, all information about the patient would be published. The blackmailer says that the information is detailed excerpts from therapy conversations.

In an interview with Yle, general manager Kahri apologizes for what happened.

They are now working to improve data security in the company, and say they will change routines after the necessary investigations have been completed. The company has also opened an emergency hotline to support affected customers.

– Do not agree to the requirements

Finnish police inform the news agency STT that they have received over 200 reviews from people who suspect that their patient information is out of the question.

– You should not agree to the requirements in these blackmail reports, says Marko Leponen, the head of the Finnish criminal police.

On Saturday night, the police’s electronic service for reviews was congested because so many people reported the blackmail.

The emails that patients have received state that the company’s management has first been pressured for 40 bitcoins. This corresponds to almost NOK 5 million, payment for not publishing the patient records on the dark web. This claim was rejected by the company. Thus, the leaks began, and patients began to receive personal threat messages by e-mail.

Calls for better data security

On Sunday, the government will hold an emergency meeting on the incident.

“This is an extremely serious data breach,” Interior Minister Maria Ohisalo told Yle. The Prime Minister has already condemned the hacking.

The scandal is thus being raised at the highest level in Finland.

Ohisalo writes on Twitter that the victims need “urgent help and support”. She calls for better digital security routines.

The Association for Mental Health Finland announces on Sunday that they are investing extra resources in Krishjälpen, a helpline that will soon have expanded capacity.

Several have posted on social media that they have been hit by the hacking. Among them is former Member of Parliament and EU parliamentarian, Kirsi Piha. She published the blackmail email on

Vastaus: Haistakaa paska! Avun pyytämisessä ei ole koskaan mitään hävettävää. #rikosilmoitustatehdessä pic.twitter.com/tDtoOeCZy5

— Kirsi Piha (@kirsipiha) October 24, 2020

and told that she was not going to pay.

In the wake of this, several have shown support and solidarity with the victims. Hackers must also have been involved on a voluntary basis in the work of finding out who is behind the extortion.

– Could also have happened in Norway

Cathrine Vånge Singstad is a partner in Otte, where she works with security and privacy. She is currently also hired as an Information Security Manager (CICO) in Tolletaten.

She describes the scandal in Finland as serious.

– I do not know the case in detail, but it is clear that this is a very serious case. Both for those concerned, but also for the company that is affected.

Singstad says that all companies that handle sensitive information have a number of duties they must follow.

– There are clear rules for security in the privacy regulations. They deal with, among other things, whether the data is sufficiently secure, whether there is a good enough overview of information, and when it is to be reported to the Data Inspectorate.

Singstad says that a similar incident could also have happened in Norway.

– Such attacks can affect anyone, both companies and individuals in Norway. Even those who work with computer security every single day are exposed to such intrusions.

She says that we all run a risk when we travel online, and points out the importance of public and private companies being aware of computer security.

– Criminals are often one step ahead. I can not stress enough how important it is for companies to have a plan if something similar should happen to them. It must be practiced. Who should you call? Where do you start? Which systems must be shut down? Practice also gives mastery in digital security.