Authorities are working to locate patients who received the emails, threatening to release personal information if the recipient does not pay the blackmailer. Some posts have already been leaked online.
Finnish police are working with other agencies to investigate data breaches targeting Vastamo, the country’s largest private psychiatric treatment center treating about 40,000 patients across the country.
“We are grateful for the various actors in the community who have helped the police,” said Marco Lebonen, a detective with the Finnish National Intelligence Service. “It would be great to ask all citizens not to share this matter on social media. Sharing information like this fulfills the essential elements of a crime,” he added.
Some of the victims have received emails asking them to pay in bitcoin to prevent their personal information from being made public, which encourages the authorities to do the same to the victims. Instead, agencies ask those patients to save the extortion emails and other evidence they may have and file a police report. Police have encouraged hackers to pay, which they say does not guarantee their data is private.
Finnish leaders have expressed dissatisfaction with the violation and said victims need immediate support.
“This data breach has come as a shock in many ways,” Finnish Prime Minister Channa Marin said on Twitter on Saturday. “Victims now need support and assistance. Ministries are exploring ways to help victims. The actions of municipalities and organizations are also needed.”
The country’s president, Sullivan Nine, told Yale News on Sunday that the violation was “incessantly cruel.”
“We all have our inner personality that we want to protect. Now it has been violated,” he said.
Vastamo said it had launched an internal investigation into the matter and admitted on its website on Monday that hackers had re-accessed its patient database in November 2018. The company said the security vulnerabilities lasted until March 2019. Its CEO was found to have fired Ville Tobio, who hid a breach from the company’s board and parent company.
Tobio said in a statement posted on his Facebook page Monday evening that he was unaware of the initial data breach in November 2018.
Trophicom, Finland’s transport and communications company, said on Monday it was working with other public authorities to set up a website to help victims.
“In this situation, there is a need to make the updated information available in one place,” said Tropicom Director General Kirsi Carlama. “We hope the site will be useful to them in this difficult situation.”
CNN’s Sheriff Budget contributed to the report from Atlanta.