Security experts and politicians have reacted with anger and dismay at the news that tens of thousands of patients at a Finnish psychotherapy clinic may be at risk of online extortion after a cyber-criminal started leaking their records on the dark web.

As Infosecurity reported yesterday, the data was stolen from the public health sub-contractor in two raids between November 2018 and March 2019.

At least 300 records containing names and contact information have been published on a dark web site, presumably to show the hackers mean business.

Individuals are also being sent extortion messages demanding €200 in Bitcoin to keep the data private, with the amount increasing to €500 unless paid within 24 hours. The clinic itself has apparently also been on the receiving end of a ransom demand of €450,000.

“The attacker calls himself ’ransom_man’, and is running a Tor site on which he has already leaked the therapist session notes of 300 patients. This is a very sad case for the victims, some of which are underage. The attacker has no shame,” said F-Secure chief research officer (CRO), Mikko Hyppönen on Twitter.

“I’m aware of only one other patient blackmail case that would be even remotely similar: the Center for Facial Restoration incident in Florida in 2019. This was a different medical area and had a smaller number of victims, but the basic idea was the same.”

The Finnish security expert added in a statement sent to Infosecurity  that he’d like to see not only the culprit arrested but also the clinic investigated.

“I’d also like to see the Vastaamo clinic to be held responsible for failing to protect critical patient data,” he said. “The patients and the therapists did nothing wrong. They are innocent but they pay the highest price.”

Politicians queued up to slam the attacks. Interior Minister Maria Ohisalo described the incident as “shocking and very serious” and said government support would be expedited to help those affected, while President Sauli Niinisto labeled it “cruel” and “repulsive.”

Warren Poschman, the senior solutions architect with comfort AG, argued that the incident highlights the need for data-centric security policies backed by the use of tokenization and format-preserving encryption.

“The reliance on firewalls, strong authentication, and passive database encryption to protect data is simply not enough — the data itself must be protected to ensure that when attackers gain access, customer and patient data will remain secure and privacy upheld,” he said.

Comparitech security specialist, Brian Higgins, described the perpetrator as “morally bankrupt.”

“This incident offers a sober lesson indeed that it is so very important to understand how your personal information will be used, stored and retained by any and all organizations you choose to share it with,” he added.

“The Finnish authorities are right to call this situation ‘exceptional’ and one can only hope Vastaamo will be suitably called to account once the full circumstances are established.”