Vastamo, the country’s largest private psychiatric treatment center, said the attackers were able to steal records of treatment sessions and personal information of patients, including social security numbers and addresses. The stolen records do not spell out specific discussions with patients, but include maintenance plans and short professional inputs.
Authorities are working to locate patients who received the emails, threatening to release personal information if the recipient does not pay the blackmailer. Some posts have already been leaked online.
Finnish police are working with other agencies to investigate data breaches targeting Vastamo, which treats about 40,000 patients across the country. Police believe the number of infected patients could rise to tens of thousands.
“We are grateful to various actors in the community for helping the police,” said Marco Lebonen, a detective with the Finnish National Intelligence Service. “It is best to ask all citizens not to share this matter on social media. Sharing information like this fulfills the essential elements of a crime,” he added.
Some of the victims have received emails asking them to pay in bitcoin to prevent their personal information from being made public, which encourages the authorities to do the same. Instead, agencies ask those patients to save the extortion emails and other evidence they may have and file a police report. Police have encouraged hackers to pay, which they say does not guarantee their data is private.
Finnish leaders have expressed dissatisfaction with the violation and said victims need immediate support.
“This data breach is shocking in many ways,” Finnish Prime Minister Channa Marin said on Twitter on Saturday. “Victims now need support and assistance. Ministries are exploring ways to help victims. The actions of municipalities and organizations are also needed.”
The country’s president, Sullivan Nine, told Yale News on Sunday that the breach was “incessantly cruel.”
“We all have our inner personality that we want to protect. Now it has been violated,” he said.
Vastamo said it had launched an internal investigation into the matter and on Monday admitted in November 2018 that its patient database was first accessed by hackers on its website. The company said the security vulnerabilities lasted until March 2019. Its CEO was found to have fired Ville Tobio, who hid a breach from the company’s board and parent company.
Tobio said in a statement posted on his Facebook page Monday evening that he was unaware of the initial data breach in November 2018.
Trophicom, Finland’s transport and communications company, said on Monday it was working with other public authorities to set up a website to help victims.
“In this situation, the need arose to make the updated information available in one place,” said Tropicom Director-General Kirsi Carlama. “We hope the site will be useful to them in this difficult situation.”
CNN’s Sheriff Budget contributed to the report from Atlanta.