Tag: Health Care

Patients blackmailed after data breach at Finnish private psychotherapy center

9. November 2020

An unknown party breached Vastaamo, a Finnish private psychotherapy center. They accessed the electronic patient record, gathering thousands of confidential patient records.  According to a message left on a Finnish web-forum, they accessed up to 40 000 confidential records of psychotherapy patients. These include not only confidential information regarding therapy sessions but also personal information, such as the social security number. In Finland, this number allows the user to take on credits or found companies. On September 29th Vastaamo notified the Finnish authorities, while they notified the affected via E-Mail and letter after October 21st.

Though the attack prompted an emergency meeting of the Finnish Cabinet, up until now neither Finnish authorities nor Vastaamo released information regarding the nature of the breach.

The initial breach likely occurred in November 2018, while it is believed, there was a second attack that occurred before March 2019. In September 2020, the hackers contacted Vastaamo, demanding a payment of 40 Bitcoin (€ 450 000,00). Vastaamo refused to pay and instead contacted the police and other Finnish authorities. On instruction by the Finnish National Police, Vastaamo published information regarding the data breach, only after some of the data was published on the Tor Network on October 21st. Furthermore, the Board dismissed former CEO Ville Tapio, claiming he concealed the breach.

Further, in late October, the hackers sent messages to patients and employees of Vastaamo, threatening to post their patient files on the internet and demanding payments in Bitcoin. The national police advised victims not to pay the hacker, and instead asked them to save extortion emails or other evidence and file a police report. Until October 30th, Finland’s national police received up to 15 000 reports of offenses regarding this data-breach.

The National Supervisory Authority for Welfare and Health started an investigation of Vastaamo, while the Social Insurance Institution of Finland stopped referrals to Vastaamo.

Ever since the beginning of the Covid-19 pandemic the healthcare and the public health sectors are attacked more frequently, especially in the form of ransomware. The FBI’s Cyber Security Unit (CISA) and the US Department of Health and Human Services have issued a joint advisory regarding the matter. Adding onto that, according to IBM’s annual Cost of a Data Breach Report, the healthcare sector has the highest average breach cost, at 7.13 million per breach.

Cancer Care Organization settles for 2.3 Mio $ after Data Breach

22. December 2017

In 2015, a data breach occurred at 21st Century Oncology  (21stCO), one of the leading providers of cancer care services in the USA, potentially affecting names, social security numbers, medical diagnoses and health insurance information of at least 2.2 million patients.

On its website, the provider had announced in 2016 that one of its databases was inappropriately accessed by an unauthorized third party, though an FBI investigation had already detected an attack as early as October 2015. The FBI, however, requested 21stCO to delay the notification because of ongoing federal investigations.

21stCO had then stated that ““we continue to work closely with the FBI on its investigation of the intrusion into our system” and “in addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.” To make amends for the security gap patients had been offered one year of free credit monitoring services.

Nevertheless, the provider now has to pay a fine worth 2.3 million dollars as settled with the Office for Civil Rights (OCR; part of the U.S. Department of Health and Human Services).

It has been accused of not implementing appropriate security measures and procedures to regularly review information system activity such as access or security incident reports, despite the disclosure by the FBI.

The OCR further stated that “the organization also disclosed protected health information to its business associates without having a proper business associate agreement in place”.

The settlement additionally requires 21stCO to set up a corrective action plan including the appointment of a compliance representative, completion of risk analysis and management, revision of cybersecurity policies, an internal breach reporting plan and overall in-depth IT-security. The organization will, in addition, need to maintain all relevant documents and records for six years, so the OCR can inspect and copy the documents if necessary.

Following the settlement, District Attorney Stephen Muldrow stated “we appreciate that 21st Century Oncology self-reported a major fraud affecting Medicare, and we are also pleased that the company has agreed to accept financial responsibility for past compliance failures.”