A dying man, a therapist and the ransom raid that shook the world

Patients put their trust in a therapy company to keep their notes and diagnoses private. Then the ransom demands arrived
Getty Images / WIRED

Jukka-Pekka Puro will never forget 2017. Facing the heartbreak of a divorce, Puro, a university lecturer in Turku, southwestern Finland, found himself tussling with depression. This spiralled into suicidal ideations when doctors told him he had aggressive kidney cancer, and no more than a few years to live. He knew he needed professional help.

Puro turned to Vastaamo, a private company that runs 25 therapy centres across Finland, and sub-contracts psychotherapy services for Finland’s public health system. Through a handful of therapy sessions he divulged intimate details about his personal life and mental health issues and slowly came to accept that he was soon going to die.

After a handful of sessions, Puro’s therapist moved on to find new work, supposedly saying he couldn’t do anything more to help. Puro has managed alone since then, but his story has taken another dark twist – one that has shaken him to the core. A data breach at Vastaamo led to Puro and thousands of other vulnerable people being extorted by criminals who threatened to expose their highly sensitive data.

In October, news broke that Vastaamo’s internal systems had been accessed and the data of its 400 employees and approximately 40,000 patients stolen. Addresses, contact details, and unique, government-issued Finnish identity numbers were taken in the breach – leaving victims exposed to fraud and identity theft. The tranche of stolen data also included therapy notes and diagnoses.

The data had been accessed through a security flaw in Vastaamo’s bespoke IT systems, which the company's co-founder and CEO, Ville Tapio, a trained product developer with an education in marketing, commissioned a team of in-house software developers to create.

After attempting to extort a 40-bitcoin (£403,000) ransom from Vastaamo, the unidentified criminals began to target payments from the individual victims, including children. Puro received an email on October 24 demanding €200 in bitcoin; if he didn’t pay within 24 hours, the ransom would rise to €500, otherwise the content of his conversations with his therapist would be made public.

The extortionist, who went by the name “RANSOM_MAN,” claimed they would publish the data of 100 people each day onto their own Tor file server until they received the bitcoin from Vastaamo. As the company resisted, “RANSOM_MAN” published the personal data of 300 people, including various public figures and police officers. They communicated with people on Torilauta (meaning “market board”), a Finnish discussion forum on the dark web, which shut down on November 1. The shutdown was not connected to the breach.

“You expect any company recommended by a public-sector hospital to have secure systems to protect their data,” Puro says. “The fact that someone, somewhere knows about my emotions and can read my intimate files is disturbing, but this also affects my wife and children. Somebody knows, for example, how they’ve reacted to my cancer.”

Beyond all that, Puro is terrified that someone could use his information to steal his identity. “While I do not have long left in my life, what happens if someone uses my personal data after my death? There’s nothing I can do about it.”

Even among experienced cybercriminal investigators, the extortion of Vastaamo data is unusual and harrowing. This is not only because of the size of the breach or extreme sensitivity of the data, but also because the pursuit of individuals demonstrates an escalation in tactics. What’s also notable for the medical profession is that Vastaamo left the door open to hackers, says Mikko Hyppönen, the chief research officer at Finnish cyber security firm F-Secure.

Vastaamo and several of its agents are currently under official investigation by the Data Protection Ombudsman and Finland’s National Bureau of Investigation, respectively. Because of this, the case will have wide implications on healthcare organisations’ obligations to secure their networks, and also their accountability for failing to do so.

One major breach at Vastaamo took place on November 25, 2018, when the size of the electronic patient registry (EPR), where all data was stored, was just over 33,000 customers. The security at this point “wasn't at the needed level to secure the system,” says Marko Leponen, a chief investigator at Finland’s National Bureau of Investigation. It’s possible that the data was also stolen before that, “because it [the EPR] has long been open widely to the internet,” he adds. Leponen refused to comment further on how much data was stolen due to the sensitivities of the case.

Data logs reveal that the EPR was accessed again in March 2019, but it’s not known if this was by the same hackers. It’s also not clear exactly what data was taken. This breach prompted Vastaamo to address the vulnerabilities, but the data was accessible before this, Leponen says. “I think that maybe there has been some kind of party in that database,” Leponen says.

Precise details of the security flaws are unconfirmed, but it’s been reported that historic documents referring to Vastaamo’s EPR were accessible via a simple Google search. Not only did this arouse interest in it, but there were also links to its server. It was even possible to find the EPR itself via a search. In theory, this meant that anyone with the correct username and password combination could access it, and it’s been rumoured that the password settings were left as the default “root-root.” Writing on Torilauta, “RANSOM_MAN” even claimed to have accessed the EPR through a default username and password.

While Tapio accepts that “mistakes were made” and that even the database itself was accessible online, he denies the “widely spread false information” that he was responsible for managing the company’s servers and their related securities. “I think it should be quite obvious that's not what a CEO of a 300-people company does,” he says. He does, however, say that the access passwords were never left as default and suggests that this type of “inaccuracy” in “RANSOM_MAN”’s claims demonstrate that he did not actually source the data. “What the extortionist is saying [about the hack] is incorrect,” he says. “The technical details do not match.”

Three Vastaamo employees were approached by the extortionists towards the end of September 2020, nearly two years after the initial breach. The reason for the delay is unclear; it may be that the extortionists had bought the database from the hackers, or it took some time for the hackers to realise the value of what they had found. Vastaamo officials reported the threat to the National Bureau of Investigation as well as to the Data Protection Ombudsman, but waited until October 21 to go public. It says it had been unable to go public before this due to the police investigation. It hired private cybersecurity firm Nixu to inspect its systems.

News of the breach broke on October 24, as thousands of patients and employees received threats by email. Data suggests that around 36,000 patient reports were stolen. More than 25,000 victims have reported the extortion to the police and between ten and 20 people have paid the ransom. Others have tried to pay, but failed. Vastaamo has sent over 37,000 messages by email, letter, and phone, informing victims about the security breach.

Besides the data of 300 patients, “RANSOM_MAN” made a 10.9GB TAR file available through their server on the morning of October 23. It’s not clear what it was, but if it included the full patient database, then it’s feasible that many people could have downloaded it, acquiring the tools to extort people. One concern is that it’s hard to determine how far this data has already spread and cybercrime officials could find themselves in a game of whack-a-mole for years. A few hours after it was uploaded, the file disappeared.

Shortly after, RANSOM_MAN’s server vanished, triggering speculation that Vastaamo had paid the extortionists. Police have asked Vastaamo to keep that detail private, but Heini Pirttijärvi, Vastaamo’s current CEO, denies any payment has been made. RANSOM_MAN posted a couple more times on Torilauta, before the forum closed. “I think he took down his site because he changed tactics,” Hyppönen says. “He accepted that Vastaamo won’t pay and went after the victims instead, to get at least some money.”

The fallout continued when Vastaamo announced the dismissal of CEO Ville Tapio on October 26 with immediate effect. According to Tuomas Kahri, who replaced Tapio as CEO for four weeks, it is “very probable” that Tapio had known of the breach since at least March 2019, but had not disclosed it. Tapio has denied these allegations publicly, explaining that “the November 2018 data leak and the errors that led to it were only revealed to him on the basis of the study by Nixu in October 2020,” he wrote in a Facebook post.

The following day, Helsinki District Court ordered the temporary seizure of Tapio’s assets, worth more than €10 million, on the application of PTK Midco Oy, the holding company behind the investment vehicle that bought Vastaamo in June 2019. Tapio is accused of concealing the security failings at the time of the sale. According to PTK Midco, Tapio might “conceal, destroy or surrender” property or act in a way that jeopardises its claims.

Tapio says he has been “wrongly” marked as being responsible for the breach. He claims that Vastaamo’s systems were fully secure before 2017, when staff exposed the EPR to the internet by reconfiguring the company’s security systems to cater for a remote administration tool. He also alleges that the data breaches in 2018 and 2019 were “very likely noticed and covered up" in March 2019 by reinstalling the database server's firewall, but that he wasn’t privy to any such conversations. “The systems did not, before November 2017, include the flaw that has probably caused the data breaches in 2018 and 2019.” Tapio says that whenever the company opened new psychotherapy centres its practices and systems were inspected by officials.

As news of the breach surfaced in September 2020, Tapio reported the incident to the police and commissioned a fault detection investigation by Nixu. “The data breach that has taken place is an incomprehensible tragedy that should never have happened. I am shocked by the incident,” Tapio says. “I'm deeply sorry for all the other stakeholders. I understand my responsibility as a CEO, but I am also accused on a number of false grounds.”

Beyond efforts to identify the hackers, Leponen says he is preparing a case against several Vastaamo employees under the Finnish criminal code. The code says a person can be guilty where they intentionally, or through gross negligence, process personal data to violate the privacy of the data subject, causing them “damage or significant inconvenience”. There is no precedent under Finnish law, but Leponen believes his team has enough evidence to prosecute around ten Vastaamo employees. Leponen says these cases will be brought before the Finnish courts next year. Anyone found guilty could face a fine or be imprisoned for up to a year.

Vastaamo is also in the cross hairs. Finland’s national data protection authority, the Office of the Data Protection Ombudsman, is also exploring Vastaamo’s liability. A key question is whether Vastaamo, as the data controller, has acted in accordance with GDPR. If it can be established the company knew of the breach in March 2019, Vastaamo may have breached Article 34 of GDPR, which requires controllers to communicate a data breach to people impacted without undue delay. Vastaamo may be ordered to pay an administrative fine.

“Although I cannot comment on the exact details of the attack, what I can say is that they [Vastaamo] left the door open and the valuable assets openly available,” says Jari Råman, Finland’s deputy data protection ombudsman.

“Our internal investigation has revealed that before April 2019, there was deficiency in the security of Vastaamo's customer information system and it looks that this has been used by criminals to access the customer database,” says Heini Pirttijärvi, Vastaamo’s new CEO. “As a result of the crime, our customers’ information fell into the wrong hands. We are deeply sorry about this.”

As for the security of Vastaamo's systems, Pirttijärvi says that Valvira, the national body responsible for health and welfare, has now inspected its systems. “[It] stated that the necessary adjustments have been made. We are also constantly monitoring the situation,” Pirttijärvi says. Pirttijärvi refused to comment on the details of the security vulnerability and “why we have reason to believe that the former CEO was aware of the first breach,” citing the ongoing investigations. A Vastamo statement issued on November 27 says that “most” of its customers have “continued their treatment at Vastaamo, which has been an important expression of trust for us, and an indication that our therapy services have been relevant to people”.

The Vastaamo scandal has rocked Finland and sent shockwaves well beyond its borders. It’s also a warning. “Medical information stays explosive for decades and we have a long way to go to realising how to store it safely,” says Hyppönen. “Nobody wants to be the next Vastaamo.”

In Finland repercussions of breach are already being felt. The government is fast-tracking legislation that will let citizens change their personal identity codes in cases of data breaches that carry a high risk of identity theft. The conclusions of investigations into the Vastaamo hack, and the gravity of any sanctions imposed, will also likely become reference points for any future legal assessments.

“There are periods when I’m depressed and can’t sleep. And at one point, I was suicidal,” Puro says. “But I’m going to die anyway, and it won’t take long. For my wife and children, however, this will affect them forever.”

This article was originally published by WIRED UK