November 30, 2020

Volume X, Number 335

Advertisement

Hacked Healthcare Provider Refuses to Pay Ransom, Attackers Target Psychotherapy Patients

Earlier this year, we reported on an evolution in the form of cyberattack known as ransomware –attackers transitioning from denying affected users access to critical data by encrypting it to removing data from the compromised systems and threatening public release in exchange for payment. These attacks typically target the companies maintaining the data. However, attackers may be adopting a new tactic when they do not get paid, targeting the individuals whose sensitive personal information was compromised.

According to reports, a healthcare provider in Finland was hacked and the attackers demanded 40 bitcoins (or about $525,000) on the threat of public disclosure of patient psychotherapy records. Businesses in the US hearing these facts might be thinking of the recent advisory issued by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) alerting companies of the potential sanctions risk for facilitating ransomware payments. The 22-location psychotherapy provider, Vastaamo, refused to pay the ransom.

When the attackers did not get paid by the provider, patients began receiving emails demanding payment of smaller amounts to avoid disclosure. Reporting on this incident states:

Therapist session notes of some 300 patients have already been published on a Tor-accessible site on the dark web. Among the victims are Finnish politicians (e.g., Member of Parliament Eeva-Johanna Eloranta) and minors.

Not much is known yet about the nature of the attack and various governmental agencies are involved.

This incident reveals a troubling pattern of cyberattacks now extending to individuals served by the organizations compromised – patients, students, customers, members, employees, etc.

Organizations devote significant resources to securing their networks and protecting the data they maintain. While that is necessary, considering the nature of the threats and current trends, it likely is not sufficient. Incident response planning is critical, but it needs to be reevaluated and evolve as the threat landscape evolves.

There are many steps organizations could take to minimize the chance and impact of a successful attack, and to be prepared to respond. Situations like this emphasize the need to understand the individuals the organization serves, what their needs might be in a case like this, and how best to communicate with them efficiently.

Jackson Lewis P.C. © 2020National Law Review, Volume X, Number 300
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Principal

Joseph J. Lazzarotti is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. He founded and currently helps to co-lead the firm's Privacy, e-Communication and Data Security Practice, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals.

In short, his practice focuses on the matrix of laws governing the privacy, security and management of data, as well as the impact and regulation of social media. He also...

973- 538-6890
Advertisement
Advertisement