A New Low For Hackers – Threatening to Disclose Patient Medical, Mental Health Records as Ransom for Payment
Sunday, May 14, 2023
Hackers Directly Threaten Mental Health Patients for Ransom
Print Mail Download i

Ransomware is a scary term for many business leaders and CISOs who dread being hit with a malware attack that locks up their data and could shut down operations. They expect to find that oddly-worded ransom note advising how they could recover access to their data, for a sizable fee of course. For a variety of reasons, including improved controls, backups, a loathe for paying criminal threat actors, organizations are increasingly refusing to pay hackers.

Hackers have responded to these refusals with threats to disclose sensitive personal information online and even resorting to directly contacting the individuals whose data has been compromised.

Wall Street Journal article this morning speaks to this disturbing trend in data breaches. Vastaamo, a psychotherapy treatment center in Helsinki, was hit with a cyberattack in 2020. The hackers exfiltrated sensitive patient mental health records of 33,000 patients and threatened to disclose them online unless Vastaamo paid the ransom – approximately 400,000 euros.

According to the article:

“When the clinic didn’t pay, the hacker pressed individual patients for payment with bullying emails…one victim said the hacker gave her 24 hours to pay around 200 euros in bitcoin, or her therapy records would be posted.”  

Going directly to the affected individuals, whether they be patients, employees, students, etc. allows the hackers to also apply significant pressure on the organization to pay a much larger sum.

The decision to pay or not to pay a ransom comes with a range of critical considerations, some of which are discussed here. In the fog of an attack, with the press, government agencies, affiliates, and/or patients or other affected individuals looking to the organization for answers, working to develop an effective strategy is far more difficult. Increasing preparedness will not make this process easy, however, tough decisions need to be made. But working through these kinds of scenarios and planning generally for an attack will better equip executives and the board to work through the facts of their case and make better decisions more quickly.

Jackson Lewis P.C. © 2024

Current Legal Analysis

More from Jackson Lewis P.C.

USCIS Removes Validity Period on Immigration Medical Exam Form I-693
by: Manda Brefo
DOL Releases Final White-Collar Exemption Rule, Sets Minimum Salary to Increase in Phases Beginning July 1, 2024
by: Jeff Barnes , Jeffrey W. Brecher
New HIPAA Final Rule Imposes Added Protections for Reproductive Health Care Privacy
by: Joseph J. Lazzarotti
Special Report: PWFA Final Regulations
by: Joseph J. Lynett , Katharine C. Weber
EEOC Issues Final Regulations to Implement the Pregnant Workers Fairness Act
by: Jenifer M. Bologna , Katharine C. Weber
Department of Education Releases Final Rule Amending Title IX Regulations
by: Susan D. Friedfel , Monica H. Khetarpal
Pregnant Workers Fairness Act Final Regulations Released
by: Joseph J. Lynett , Katharine C. Weber
USCIS Issues Employment Authorization Procedures for Palestinians on Deferred Enforced Departure
by: Forrest G. Read IV
OSHA Proposes Expansion of Workplace Protections for Emergency Responders
by: Courtney M. Malveaux , Melanie L. Paul
Ninth Circuit Holds Warehouse Worker Qualifies as Transportation Worker Under FAA Exemption
by: Scott P. Jang

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins