Industry News

After hackers blackmailed their clients, Finnish therapy firm declares bankruptcy

After hackers blackmailed their clients, Finnish therapy firm declares bankruptcy
  • Highly sensitive notes from therapy sessions were published online in an attempt to blackmail patients
  • Hackers bragged about the poor state of firm’s security

Vastaamo, the Finnish psychotherapy practice that covered up a horrific security breach which resulted in patients receiving blackmail threats, has declared itself bankrupt.

Vastaamo’s problems first began in 2018, when it discovered that a database of customer details and – most shockingly – notes from therapy sessions had been accessed by hackers.

You would like to think that security would then be tightened up, but in March 2019, Vastaamo CEO Ville Tapio knew that hackers had in the months since continued to access the chain of private psychotherapy clinics’ systems.

Astonishingly, Tapio did not share that critical information with the appropriate authorities or with other members of Vastaamo’s board – perhaps because he had been responsible for setting up the database’s security himself.

It was only in October 2020 that the truth finally came out, and the criminals published batches of the sensitive records on the dark web. The hackers initially demanded a ransom payment from Vastaamo of about 450,000 euros, before inviting patients to pay approximately 500 euros if they wanted their data taken down.

An estimated 40,000 patients were affected by the breach.

In online posts, the hackers bragged about the poor state of Vastaamo’s security.

Tapio was subsequently fired, and replaced as the company’s CEO.

The damage, however, was too much for Vastaamo, which has clinics across Finland, to take.

The harm caused by the criminal hackers and the subsequent damage done to Vastaamo brand was simply too great, and the company announced this week that it had been placed in liquidation.

The company has come to an agreement with Verve, another psychotherapy practice based in Finland, that patients can continue to make appointments through them with their therapist or psychiatrist.

In the meantime, patients are being urged not to give in to the ransom demands, and report any communications they receive from the extortionists with the police.

In January, Finland’s social insurance institution Kela said that it was terminating its contract with Vastaamo – not because of the security breach, but due to an inspection discovering that some of the firm’s therapists were not adequately qualified.

According to data collected by security researcher Adrian Sanabria, Vastaamo is one of less than two dozen companies to have been ruined by a data breach, and “is the largest so far, at 400 employees.”

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.