Earlier this year, we reported on an evolution in the form of cyberattack known as ransomware –attackers transitioning from denying affected users access to critical data by encrypting it to removing data from the compromised systems and threatening public release in exchange for payment. These attacks typically target the companies maintaining the data. However, attackers may be adopting a new tactic when they do not get paid, targeting the individuals whose sensitive personal information was compromised.
According to reports, a healthcare provider in Finland was hacked and the attackers demanded 40 bitcoins (or about $525,000) on the threat of public disclosure of patient psychotherapy records. Businesses in the US hearing these facts might be thinking of the recent advisory issued by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) alerting companies of the potential sanctions risk for facilitating ransomware payments. The 22-location psychotherapy provider, Vastaamo, refused to pay the ransom.
When the attackers did not get paid by the provider, patients began receiving emails demanding payment of smaller amounts to avoid disclosure. Reporting on this incident states:
Therapist session notes of some 300 patients have already been published on a Tor-accessible site on the dark web. Among the victims are Finnish politicians (e.g., Member of Parliament Eeva-Johanna Eloranta) and minors.
Not much is known yet about the nature of the attack and various governmental agencies are involved.
This incident reveals a troubling pattern of cyberattacks now extending to individuals served by the organizations compromised – patients, students, customers, members, employees, etc.
Organizations devote significant resources to securing their networks and protecting the data they maintain. While that is necessary, considering the nature of the threats and current trends, it likely is not sufficient. Incident response planning is critical, but it needs to be reevaluated and evolve as the threat landscape evolves.
There are many steps organizations could take to minimize the chance and impact of a successful attack, and to be prepared to respond. Situations like this emphasize the need to understand the individuals the organization serves, what their needs might be in a case like this, and how best to communicate with them efficiently.