In what has been described as a “highly unusual ransomware case”, a hacker is demanding money directly from patients after an electronics patients record (EPR) system in Finland was hacked.
According to news reports, private psychotherapy clinic Vastaamo was broken into and the therapist notes for up to 40,000 patients were stolen. It is believed that the hacker tried to extort money from the company first. When it refused, the hacker began emailing the patients whose medical records and therapy notes were stolen, asking each person for €200 ransom paid by bitcoin.
In a tweet, Mikko Hyppönen, chief research officer at F-Secure, said: “The attacker calls himself ‘ransom_man’, is running a Tor site on which he has already leaked the therapist session notes of 300 patients. This is a very sad case for the victims, some of which are underage. The attacker has no shame.”
Responding to Hyppönen’s comment, F-Secure software engineer, Jarre Leskinen, tweeted: “Based on blockchain transactions #vastaamo likely already paid their ransom and now the attacker is still blackmailing the victims individually. This is totally disgusting.”
It is believed that the hacker had previously spoken to Vastaamo to threaten the release of the data unless the company paid €400,000.
In a video blog about the incident, Finnish e-commerce expert Artem Daniliants said that in 2018, the company had its EPR system hacked and data was stolen. This data was released over the weekend and posted on a Tor-powered forum. He said the hackers asked Vastaamo for a ransom believed to be 500,000 bitcoins.
According to Daniliants, in Finland, an EPR system needs to be audited by the government to ensure it meets a certain level of security. This can be costly and time-consuming, so the Finnish government provides a less stringent policy for EPR systems, classified as “B-level”, which Daniliants said does not require the security audit.
“Vastaamo had a B-level EPR system and had the server exposed publicly,” said Daniliants. This generally goes against best practices for securing EPR systems, where external access is secured via a virtual private network (VPN).
“Their system was exposed to the whole internet and, unfortunately, according to the information I was able to find, it was Apache and PHP,” he said, adding that the company was running outdated versions of these open source servers, which had lots of security holes. “Most likely, the hackers just ran a security scan and found the vulnerable servers.”
BBC News spoke to one victim who said he was contacted by the hacker, going under the pseudonym “ransom guy”, who said the ransom would go up from €200 to €500 if it was not paid within 24 hours. After 72 hours, the victim said the hacker threatened to release the notes from his therapy sessions onto Tor.
Daniliants said the hackers have set up bitcoin wallets for all the Vastaamo patients they contacted directly. “They [ask] you to transfer money in bitcoins to that particular wallet in order to get your data erased,” he added,
Hyppönen said: “I’m aware of only one other patient blackmail case that would be even remotely similar – the Center for Facial Restoration incident in Florida in 2019. This was a different medical area and had a smaller number of victims, but the basic idea was the same.”