First of all, any type of doctor, hospital, therapy office or any type of health place of any kind is probably the worst place you can have a breach. Time and time again, we’ve seen different places get breached, but this one is one I don’t think I even saw coming. To make matters worse, this happened in 2018 at some point and we’re finding out now. Like Yahoo’s problems were bad enough at 3 years, yet this isn’t the end of the story.
Cyberscoop’s Joe Warminsky wrote this article and I got to thinking while reading that F-Secure might weigh in. Sure enough, F-secure’s Mikko Hyppönen
did put his two cents worth in to this article as I would expect.
He thinks that this breach is from the work of more than one person. He may be on to something seeing how the company wasn’t contacted asking for a demand of payment some two years later.
If I were to breach a company like this and exfiltrate their data, I’d be wanting to get the maximum for the data I thought the company could pay. I wouldn’t want to wait some two years after the fact. I’d want to maximize my findings.
It is rare to see blackmail from an attack, says the article. A couple of paragraphs from the article indicate that both customers and employees have been victims.
Vastaamo said customers and employees had “personally been victims of extortion” in the case. Reports say that on Oct. 21 and Oct. 22, the cybercriminals
began posting batches of about 100 patient records on the dark web and allowing people to pay about 500 euros to have their information taken down.The company has opened a crisis hotline for patients to call, with therapists available for free, and says it is working with credit-reporting organizations
to protect the personally identifiable information of anyone affected by the breach.
500 euros is roughly $591.07 at the time of writing. Its chunck change for some people, but could be a problem for others, especially when that $591 is needing to be paid in bitcoin.
Want good news out of this?
Vastaamo, which operates as a subcontractor for Finland’s national health system, said that as far as it knows, patient data created after November 2018
was not breached.
That is just like the breach at Door Dash where people that signed up in 2018 and before were targeted, but yet anyone after the targeted 2018 date was never effected. Here is the door dash blog post from September 2019. Here is a link to podcast 325 of the tech podcast where Doordash is one of the topics.
Want to read more about this bizarre case? Why not go over to cyberscoop and read Data breach at Finnish psychotherapy center takes a darker turn with extortion attempts and let the blog comments begin.