Hacked Healthcare Provider Refuses To Pay Ransom, Attackers Target Psychotherapy Patients

Jackson Lewis P.C.
Contact

Earlier this year, we reported on an evolution in the form of cyberattack known as ransomware –attackers transitioning from denying affected users access to critical data by encrypting it to removing data from the compromised systems and threatening public release in exchange for payment. These attacks typically target the companies maintaining the data. However, attackers may be adopting a new tactic when they do not get paid, targeting the individuals whose sensitive personal information was compromised.

According to reports, a healthcare provider in Finland was hacked and the attackers demanded 40 bitcoins (or about $525,000) on the threat of public disclosure of patient psychotherapy records. Businesses in the US hearing these facts might be thinking of the recent advisory issued by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) alerting companies of the potential sanctions risk for facilitating ransomware payments. The 22-location psychotherapy provider, Vastaamo, refused to pay the ransom.

When the attackers did not get paid by the provider, patients began receiving emails demanding payment of smaller amounts to avoid disclosure. Reporting on this incident states:

“Therapist session notes of some 300 patients have already been published on a Tor-accessible site on the dark web. Among the victims are Finnish politicians (e.g., Member of Parliament Eeva-Johanna Eloranta) and minors.

Not much is known yet about the nature of the attack and various governmental agencies are involved.

This incident reveals a troubling pattern of cyberattacks now extending to individuals served by the organizations compromised – patients, students, customers, members, employees, etc.

Organizations devote significant resources to securing their networks and protecting the data they maintain. While that is necessary, considering the nature of the threats and current trends, it likely is not sufficient. Incident response planning is critical, but it needs to be reevaluated and evolve as the threat landscape evolves.

There are many steps organizations could take to minimize the chance and impact of a successful attack, and to be prepared to respond. Situations like this emphasize the need to understand the individuals the organization serves, what their needs might be in a case like this, and how best to communicate with them efficiently.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jackson Lewis P.C. | Attorney Advertising

Written by:

Jackson Lewis P.C.
Contact
more
less

Jackson Lewis P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.