Extortion of therapy patients in Finland shakes culture of privacy

A view of the offices of Vastaamo psychotherapy center in the Pasila neighborhood of Helsinki, Oct. 24, 2020.

Heikki Saukkomaa/Lehtikuva/AP/File

March 19, 2021

Katleena Kortesuo wasn’t completely unprepared when the extortionist known as “RANSOM_MAN” got in touch with her last October.

Two days earlier, it had been reported that hackers had stolen confidential therapy records from Vastaamo, a private psychotherapy center based in Helsinki where Ms. Kortesuo was a patient. RANSOM_MAN – perhaps the original hacker, perhaps not – had been sending emails to patients threatening to make their stolen information public if they didn’t pay the sum demanded, usually €200 ($238).

“They knew my name, my email, and my personal identification number [the Finnish equivalent of the U.S. Social Security number],” says Ms. Kortesuo. “And they knew that I had been a patient at Vastaamo.” Even though it wasn’t a total surprise, she says, it was hard to process the affair – especially after the hacker backed up his threat by leaking some of the stolen data relating to the victims on the dark net. As of February, some 25,000 criminal reports had been filed in connection with the hack.

Why We Wrote This

Cybercrimes often entail a violation of trust. But the hack of a private psychotherapy center – including patient session notes – has struck the Finnish culture of privacy particularly hard.

“This was the biggest crime in Finnish history, as well as one of the most horrific,” says Ms. Kortesuo, who is now writing a book about the breach and its societal repercussions.

The Vastaamo hack and subsequent blackmail has deeply shaken Finnish society. While the crime would have been intrusive anywhere, it has struck at some of Finland’s cornerstone values, including privacy and faith in online connectivity. But it may at least be opening the door to a more public discussion of the importance of mental health and health care.

They took up arms to fight Russia. They’ve taken up pens to express themselves.

“This was definitely a watershed event for Finland,” says Michael Franck, a noted Finnish documentary filmmaker. “The fact that this sort of thing could happen here in Finland, a country which prides itself on being one of the cradles of connectivity, as well as one with a strong and secure health-care system, was shocking.”

Shaking societal trust

“Break-ins to computers and stealing databases are unfortunately not so unusual anymore,” says Detective Chief Inspector Marko Leponen of the Finnish National Police. “Still, if we look at this case, it was basically unprecedented.”

Inspector Leponen ought to know. He is the head of the task force that is investigating the case. “The amount of personal data that was targeted was just enormous,” he says. Also, he notes that this is the first instance in Finland where ransom was demanded not just from the breached organization, but from the patients whose data was stolen.

“One of the reasons why this hack has been so devastating is trust,” he says. “We Finns trust our society and trust that all of our sensitive systems are properly secured.”

The fact that the victims were psychotherapy patients, including those with depression and other severe problems, added to the public shock, particularly in a society whose members are not used to discussing their private lives, no less that they or their loved ones are in therapy to begin with.

Ukraine’s Pokrovsk was about to fall to Russia 2 months ago. It’s hanging on.

Psychotherapy isn’t taboo, says veteran Finnish diplomat Petri Tuomi-Nikula, but talking about it is. “We don’t talk about therapy the way people do in the U.S. In this sense we are more private.”

Ami Hasan, a leading Finnish advertising executive, agrees. “Going into therapy isn’t as natural for Finns as it is for Americans,” he says. “Then, to have a hacker take advantage of this shyness, or avoidance, or whatever you call it, and tell the patients whose therapy notes he stole, ‘Pay me or I will let your employer or loved ones know that you have mental problems.’ Well, Finns don’t take that lightly.”

“Of course, breaching the trust and secrecy of what you would tell your therapist would be – ought to be – egregious anywhere,” says Teivo Teivainen, professor of world politics at Helsinki University, “but perhaps here it was even a greater shock because the level of societal trust is high.”

Dr. Teivainen says that Finns’ trust in society is probably due to a combination of factors, including a tradition of relative equality tracing back to Swedish rule, the influence of the once powerful Lutheran Church, and the relative homogeneity of Finnish society.

“Vastaamo was a kind of perfect storm for Finns,” says Mark Maher, an American art curator who has lived in Finland for many years. “It wreaked havoc with several pillars of the Finnish ethos at once – their pride in being one of the first digitalized societies, their sense of privacy, and their trust in institutions, both public and private. ... All that was damaged here.”

Responding to the hack

The damage and the aftershocks from it have been seen at Victim Support Finland (RIKU), an organization that provides counseling and support to victims of crimes. “We have had victims of identity theft,” says RIKU director Leena-Kaisa Åberg, “but never on this kind of scale.”

All told, she says, her agency had more than 22,600 clients in 2020, an increase of nearly 50% from 2019. The Vastaamo hack has been a significant driver behind the increase, she says.

The government is trying to fix the security holes revealed by the hack, says Olli-Poika Parviainen, the state secretary to the Ministry of the Interior. “The digitalization of health care and welfare require a high level of security,” he says, “and we are doing our best to ensure that.”

However the trauma and gnawing sense of insecurity for the thousands of victims of the blackmail continues, says Ms. Kortesuo, who has been keeping a blog about the case. “Clearly people are suffering from insecurity, hopelessness, anxiety, and powerlessness in this matter.”

As an example, she cites one message she received from an anonymous victim. “This is a hell that lasts for the rest of my life,” the victim wrote. “I might find my data after 4, or 6, or 12 years. My anxiety and stress levels are going through the ceiling.”

Still, as traumatic as the affair has been, she says she feels some good has come out of it as well. “Companies’ awareness and investment in cybersecurity has risen. I also appreciate the fact that the whole nation supported the victims and condemned the criminals.”

Perhaps most important, Ms. Kortesuo says, “we learned to discuss mental health as a nation,” pointing to the growing number of people, including health care professionals, who have admitted that they were in therapy too, something which many Finns have been loath to do.

“In the past one's therapy, or the fact that one was in therapy – or not – was not something one discussed here,” says Mr. Tuomi-Nikula. “But that’s changing fast, at least in part because of this affair.”