Authorities are working to identify those patients who have received emails that threaten to reveal personal information, unless the recipient pays the blackmailer. Some of the files have already leaked to the internet.
Finnish police are working with other services to investigate data breaches targeting Vastaamo, the country’s largest private psychotherapy center, which treats some 40,000 patients nationwide.
“We are grateful for how various sections of society have helped the police,” said Marko Leponen, a detective inspector at the National Bureau of Investigation in Finland. “It is particularly gratifying that citizens are urging everyone not to share this material on social media. Sharing this information meets the basic elements of a crime,” he added.
Some of the victims have received emails demanding bitcoin payments to prevent the disclosure of their personal information, which authorities discourage victims from doing. Instead, agencies ask these patients to store blackmail emails and other possible information they may have received and report to the police. Police also discouraged people from paying the hackers, saying they would not ensure their data remained private.
Finnish leaders have expressed dissatisfaction with the breach and said the victims needed immediate support.
“This data breach is shocking in many ways,” Finnish Prime Minister Sana Marin said on Twitter on Saturday. “Victims now need support and help. Ministries are exploring ways to help victims. Actions from municipalities and organizations are also needed.”
President Sauli Niinistö told Yle News on Sunday that the violation was “relentlessly cruel”.
“We all have our inner personality that we want to protect. Now it has been violated,” he said.
Vastaamo said it had launched an internal investigation into the matter and admitted on its website Monday that the patient database was first accessed by hackers in November 2018. The company said security flaws continued to persist until March. 2019. The company also announced on Monday the dismissal of its CEO, Ville Tapio, after it was discovered that he hid a breach from the board of directors and the parent company of the company.
Tapio said he was unaware of the initial data breach in November 2018, in a statement released Monday afternoon on his Facebook page.
Finland’s transport and communications agency, Traficom, said Monday it had partnered with other public authorities to set up a website to help victims.
“In this worrying situation, there is a need to make up-to-date information available in a single place,” said Traficom CEO Kirsi Karlamaa. “We hope the site is useful in this difficult situation.”
CNN’s Sharif Paget contributed to this report from Atlanta.