Patients of a Finnish psychotherapy centre have become the victims of a blackmail campaign after the centre suffered a data breach. It is reported, the centre’s data was stolen during two attacks, one occurring in November 2018 and the other between the end of November 2018 and March 2019.
A cyber criminal (or criminals) has used the stolen data to contact patients demanding the payment of 200 euros in bitcoin, with this amount increasing to 500 euros if the patient refused to pay within 24 hours. If a patient refused to pay the ransom, the cyber criminal threatened to publish their personal information, including notes from therapy sessions. Around 300 records have been published on the dark web, which suggests patients are refusing to pay the ransom. The centre also received a ransom demand of 500,000 euros for the return of their data, which it has refused to pay.
Whether to pay a ransom or not is a delicate decision, requiring the balancing of competing interests and legal considerations with delicate issues around anti-money laundering laws to navigate. Unfortunately, as this data breach demonstrates, when an organisation refuses to pay a ransom it can lead to the public disclosure of sensitive information of vulnerable individuals, as well as use of that information for further criminal activity.
It goes without saying, health records and patient personal information is sensitive information. This data breach is a reminder of the serious consequences that can flow when malicious actors gain access to sensitive information of vulnerable individuals, which in this case, included minors. Thus, it is extremely important health service providers proactively manage cyber risks to protect the sensitive information they hold to mitigate the risk of patient information being accessed and misused by malicious actors to directly harm a provider’s own patients.