Incident: Data Breach at Finnish Psychotherapy Center Leads to Blackmail Crisis

Published Date: 2020-10-25

Postmortem Analysis
Timeline 1. The software failure incident at the Vastaamo psychotherapy center in Finland happened between November 2018 and March 2019 as per the information provided in the articles [106365, 106332]. Therefore, the estimated timeline for the incident would be between November 2018 and March 2019.
System 1. Vastaamo's patient database security system [106365, 106332] 2. Vastaamo's data protection measures [106365, 106332]
Responsible Organization 1. Hackers accessed patient records at the Vastaamo psychotherapy center, causing the security breach [106365, 106332]. 2. The breach was due to security flaws in Vastaamo's systems that allowed hackers to access the patient database [106332]. 3. The CEO of Vastaamo was fired for concealing the initial data breach from the company's board and parent company [106332].
Impacted Organization 1. Patients at the Vastaamo psychotherapy center in Finland [106365, 106332] 2. Vastaamo psychotherapy center itself as their client register with patient information was likely stolen [106365, 106332]
Software Causes 1. The software cause of the failure incident was a data breach where hackers accessed patient records at the Vastaamo psychotherapy center, leading to the theft of intimate patient information [106365, 106332]. 2. The breach occurred due to security flaws in Vastaamo's patient database, which were first accessed by hackers in November 2018 and continued to persist until March 2019 [106332].
Non-software Causes 1. Lack of proper cybersecurity measures and protocols in place at the Vastaamo psychotherapy center, allowing hackers to access patient records [106365, 106332]. 2. Failure to promptly detect and address the initial data breach that occurred in November 2018, leading to continued security flaws until March 2019 [106332]. 3. Concealment of the breach by the CEO of Vastaamo from the company's board and parent company, indicating a lack of transparency and accountability within the organization [106332].
Impacts 1. Patient records at a private Finnish psychotherapy center were accessed by hackers, leading to potential compromise of intimate patient information, including names, contact information, care plans, and professional entries [106365, 106332]. 2. The stolen records did not specify specific discussions with patients but included personal information such as social security numbers and addresses [106332]. 3. Victims of the breach faced the threat of blackmail, with cyber-criminals demanding ransoms in Bitcoin to prevent the public disclosure of their personal information [106365, 106332]. 4. The breach had significant psychological impacts on the victims, with Finland's leaders expressing dismay and emphasizing the need for immediate support and help for the affected individuals [106332]. 5. The breach led to the firing of the CEO of the psychotherapy center, Ville Tapio, after it was revealed that he concealed the initial breach from the company's board and parent company [106332].
Preventions 1. Implementation of robust cybersecurity measures such as regular security audits, penetration testing, and intrusion detection systems could have prevented the software failure incident [106365, 106332]. 2. Ensuring timely detection and response to security breaches through continuous monitoring of systems and data could have helped prevent the incident [106365, 106332]. 3. Proper encryption of sensitive patient data could have made it more difficult for hackers to access and misuse the information [106365, 106332]. 4. Improved employee training on cybersecurity best practices and protocols to prevent social engineering attacks or internal data breaches could have mitigated the risk of such incidents [106332]. 5. Prompt disclosure of security breaches to relevant authorities and stakeholders could have enabled a quicker response to contain the breach and protect affected individuals [106332].
Fixes 1. Enhancing cybersecurity measures to prevent future breaches, such as implementing stronger encryption protocols, regular security audits, and intrusion detection systems [106365, 106332]. 2. Conducting a thorough investigation to identify the vulnerabilities in the software systems that allowed the hackers to access sensitive patient data [106365, 106332]. 3. Implementing stricter access controls and monitoring mechanisms to ensure that only authorized personnel can access and modify patient records [106365, 106332]. 4. Providing immediate support and assistance to the victims of the breach, including counseling services and guidance on how to handle extortion attempts [106365, 106332]. 5. Collaborating with law enforcement agencies to track down the perpetrators and hold them accountable for their actions [106365, 106332].
References 1. Vastaamo psychotherapy center 2. Finnish Interior Minister Maria Ohisalo 3. National Bureau of Investigation 4. Finnish police 5. President Sauli Niinisto 6. Prime Minister Sanna Marin 7. Marko Leponen, National Bureau of Investigation's chief investigator 8. Mikko Hypponen, chief research officer of Finnish data security company F-Secure 9. Finnish data security company F-Secure 10. Various Finnish organizations 11. Detective inspector Marko Leponen 12. Ville Tapio, former CEO of Vastaamo 13. Finland’s transport and communications agency, Traficom [106365, 106332]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident having happened again at one_organization: - The software failure incident at the Vastaamo psychotherapy center in Finland involved a data breach where patient records were accessed by hackers demanding ransoms [106365]. - The breach at Vastaamo was not a one-time event but had occurred previously, with the initial data breach happening in November 2018 and continuing until March 2019 [106332]. (b) The software failure incident having happened again at multiple_organization: - There is no specific mention in the articles about the same incident happening at other organizations or with their products and services.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the incident where Vastaamo's patient database was first accessed by hackers back in November 2018, with security flaws persisting until March 2019. This indicates a failure due to contributing factors introduced by system development or updates [106332]. (b) The software failure incident related to the operation phase is evident in the fact that some victims received emails demanding payments in bitcoin to prevent the public disclosure of their personal information. Authorities are discouraging victims from paying the hackers, emphasizing that it will not ensure their data remains private, highlighting a failure due to contributing factors introduced by the operation or misuse of the system [106332].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident at the Vastaamo psychotherapy center in Finland was primarily due to factors originating from within the system. The breach involved hackers accessing patient records stored within Vastaamo's data systems, compromising sensitive information such as therapy session details, care plans, and personal information of thousands of patients [106365, 106332]. The breach was facilitated by security flaws within Vastaamo's systems, which allowed the initial unauthorized access in November 2018 and persisted until March 2019 [106332]. The incident also involved the blackmailing of patients with demands for ransom payments in exchange for keeping their information private, indicating a direct impact on the system and its security measures [106365, 106332]. (b) outside_system: The software failure incident also had elements originating from outside the system, such as the actions of the hackers who exploited vulnerabilities within Vastaamo's systems to gain unauthorized access to patient records [106365, 106332]. The hackers demanded ransoms from the affected patients, indicating an external threat that targeted the system from outside sources [106365, 106332]. Additionally, the incident involved the use of the anonymous Tor communication software by the perpetrators to publish patient records, highlighting external tools and methods used in the breach [106365].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The software failure incident at the Vastaamo psychotherapy center in Finland was caused by a hacker or hackers who accessed patient records and demanded ransoms [106365]. - The breach involved the theft of patient records, including personal information and therapy session details, likely stolen during two attacks that started almost two years ago [106365]. - The stolen records were published using the anonymous Tor communication software, and the blackmailer approached victims directly with extortion letters [106365]. - The breach led to the exposure of confidential records of thousands of psychotherapy patients, with some facing the threat of blackmail [106332]. - The stolen records included care plans and professional entries but did not spell out specific discussions with patients [106332]. (b) The software failure incident occurring due to human actions: - The CEO of Vastaamo was fired after it was discovered that he concealed the initial breach from the company's board and parent company [106332]. - The breach was first accessed by hackers in November 2018, and security flaws continued to persist until March 2019 [106332]. - Some victims received emails demanding payments in bitcoin to prevent the public disclosure of their personal information, which authorities discouraged victims from doing [106332].
Dimension (Hardware/Software) software (a) The software failure incident in the articles was not directly attributed to hardware issues. The incident primarily involved a data breach where hackers accessed patient records at a psychotherapy center in Finland [106365, 106332]. The breach was a result of cybercriminal activity targeting the software systems and databases of the psychotherapy center, rather than any hardware-related failures. (b) The software failure incident was primarily due to contributing factors originating in software. The breach involved hackers gaining unauthorized access to the psychotherapy center's data systems, allowing them to steal confidential patient records and personal information [106365, 106332]. The incident was a result of vulnerabilities or weaknesses in the software systems, enabling the attackers to exploit these flaws and compromise the security of the center's databases.
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case is malicious. Hackers accessed patient records at a private Finnish psychotherapy center and demanded ransoms from the victims. The breach involved the theft of intimate patient information, including names, contact information, care plans, and professional entries. The hackers published patient records and approached victims with extortion letters, demanding payments in Bitcoin to keep the information private [106365, 106332]. The incident involved intentional actions by the hackers to access and exploit sensitive data for financial gain, indicating a malicious objective.
Intent (Poor/Accidental Decisions) poor_decisions [a] The software failure incident at the Vastaamo psychotherapy center in Finland was primarily due to poor decisions made by the company. The breach occurred due to security flaws that were initially accessed by hackers in November 2018 and continued to persist until March 2019. The CEO of Vastaamo was fired after it was revealed that he had concealed the breach from the company's board and parent company [106332]. Additionally, the incident involved the blackmailing of patients by hackers who demanded ransom payments in exchange for keeping their information private [106365].
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident related to development incompetence is evident in the case of the Vastaamo psychotherapy center data breach in Finland. The breach occurred due to a lack of professional competence in handling data security. It was revealed that the patient database was first accessed by hackers in November 2018, and security flaws persisted until March 2019 [106332]. Additionally, it was reported that the CEO of Vastaamo was fired after it was discovered that he concealed the breach from the company's board and parent company [106332]. (b) The software failure incident related to accidental factors is seen in the case of the Vastaamo data breach where the breach was not immediately detected or addressed. The breach occurred over a period of time, starting in November 2018, and continued until March 2019, indicating that the initial intrusion was not promptly identified or mitigated [106332].
Duration temporary The software failure incident related to the breach at the Vastaamo psychotherapy center in Finland can be categorized as a temporary failure. The breach occurred over a period of time, with the initial data breach happening in November 2018 and the security flaws persisting until March 2019 [106365, 106332]. This indicates that the breach was not a one-time event but rather a continuous vulnerability in the system that allowed unauthorized access to patient records.
Behaviour crash, omission, value, other (a) crash: The software failure incident in the articles can be categorized as a crash. The incident involved a security breach at the Vastaamo psychotherapy center in Finland, where hackers accessed patient records and demanded ransoms. This breach led to a situation where the system lost control and was not able to perform its intended function of protecting patient data, resulting in a crisis for the center and its clients [106365, 106332]. (b) omission: The incident can also be categorized as an omission. The system failed to perform its intended function of safeguarding patient records and maintaining data security. This omission led to the unauthorized access and theft of sensitive patient information, causing harm to the individuals whose data was compromised [106365, 106332]. (c) timing: The timing of the software failure incident is not directly related to the system performing its intended functions too late or too early. The focus of the incident is more on the breach itself and the subsequent extortion attempts rather than a timing issue [106365, 106332]. (d) value: The incident can be categorized as a value failure. The system failed to perform its intended function of protecting the confidentiality and integrity of patient data, resulting in the compromise of sensitive information such as therapy session records, care plans, and personal details. This incorrect performance of the system led to significant consequences for the affected individuals [106365, 106332]. (e) byzantine: The incident does not exhibit characteristics of a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. The breach and extortion attempts were more focused on unauthorized access and data theft rather than exhibiting inconsistent behavior [106365, 106332]. (f) other: The other behavior exhibited in this software failure incident is a security breach leading to data theft and extortion. The incident involved malicious actors gaining unauthorized access to the system, stealing sensitive patient information, and using it to extort money from the victims. This behavior is a form of cybercrime that exploits vulnerabilities in the system's security measures [106365, 106332].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, other (a) death: People lost their lives due to the software failure - No information in the articles suggests that people lost their lives due to the software failure incident. [106365, 106332] (b) harm: People were physically harmed due to the software failure - The articles do not mention any physical harm caused to individuals due to the software failure incident. [106365, 106332] (c) basic: People's access to food or shelter was impacted because of the software failure - There is no mention of people's access to food or shelter being impacted by the software failure incident. [106365, 106332] (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident led to the compromise of thousands of patient records, including personal information, therapy session details, and care plans, potentially impacting the privacy and security of the individuals affected. Extortion demands were made to victims, and some records were leaked online, indicating a significant impact on data security and privacy. [106365, 106332] (e) delay: People had to postpone an activity due to the software failure - The articles do not mention any activities being postponed due to the software failure incident. [106365, 106332] (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident primarily affected the security and privacy of patient records at the psychotherapy center, with no specific mention of non-human entities being impacted. [106365, 106332] (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had significant consequences, including the compromise of patient records, extortion demands, and the need for immediate support for victims. [106365, 106332] (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles do not discuss potential consequences that did not occur as a result of the software failure incident. [106365, 106332] (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The software failure incident resulted in victims receiving extortion demands in Bitcoin, potential public disclosure of personal information, and the need for victims to save evidence and file police reports. Additionally, the CEO of the psychotherapy center was fired for concealing the breach from the company's board and parent company, indicating organizational consequences. [106365, 106332]
Domain health The software failure incident reported in the news articles is related to the **health** industry. The incident involved a data breach at a private Finnish psychotherapy center, Vastaamo, where the confidential records of thousands of psychotherapy patients were hacked, leading to potential blackmail threats ([Article 106365], [Article 106332]). The compromised data included patient records with intimate information, therapy session details, care plans, and professional entries. The breach exposed personal information such as social security numbers and addresses of the patients. The hackers demanded ransom payments in Bitcoin from the victims to prevent the disclosure of their personal information ([Article 106365], [Article 106332]). The incident has raised concerns about the security and privacy of sensitive health information, prompting reactions from Finland's leaders, including President Sauli Niinistö and Prime Minister Sanna Marin. Authorities are working to investigate the breach and provide support to the affected patients. Vastaamo has initiated an internal inquiry into the matter and took actions such as firing its CEO for concealing the breach ([Article 106332]). In summary, the software failure incident in question is directly related to the **health** industry, specifically affecting the psychotherapy services provided by Vastaamo in Finland.

Sources

Back to List