Vastaamo data breach

[2] The extorters demanded 40 bitcoins, roughly worth 450,000 euros at the time, and threatened to publish the records if the ransom was not paid.

To add pressure to their demands, the extorters published hundreds of patient records a day on a Tor message board.

[6] The company's security practices were found to be inadequate: the sensitive data was not encrypted and anonymized[7][6] and the system root did not have a defined password.

It also turned into an international scandal and a cyber-attack unprecedented in its scope due to the tactic called double extortion applied by the cyber criminals.

[21][6] As the company resisted to pay the ransom, the hacker, using the alias “ransom_man,”[18] published the therapist session notes of at least 300 patients,[22] including politicians and police officers,[23] on a public forum through the Tor network.

[19][5] PTK Midco, a holding company owned by Intera Partners, a Finnish private equity firm, which acquired a 70% stake in Vastaamo in May 2019.

[26][27] Focus on balancing availability of information and data governance[21] has increased along with investments in companies' computer security since the hacking incident occurred.

[10] The outcomes of investigations of the security breach, and also any sanctions established, now serve as a reference point to any future legal assessments.

[23] Immediately following the hack, the cabinets from the Finnish government held their regular Wednesday meeting to address cybersecurity issues, create new legislation regarding data security and identity thefts, and promise emergency support for the victims.

[25] Various Finnish organizations have quickly established ways to help the victims, including direct dial-in numbers to churches and therapy services.

[29] Additionally, many companies working with social security numbers and debt collecting had taken action to help the victims whose identities have been stolen.

[33] Author and information technology consultant Petteri Järvinen [fi] has used the relatively light sentence as proof that cybercrime often has no serious consequences for the perpetrator in Finland, even if the victims suffer from its results for the rest of their lives.

Vastaamo, a Finnish company that provided private mental-health services to its patients, founded in 2008.