Connect with us

Its123.com

Cryptocurrency Bitcoin Then a Hacker Began Posting Patients’ Deepest Secrets Online


Crypto

Cryptocurrency Bitcoin Then a Hacker Began Posting Patients’ Deepest Secrets Online

Jere woke up on the morning of October 24, 2020, expecting what Finnish college students call normi päivä, an ordinary day. It was a Saturday, and he’d slept in. The night before, he had gone drinking by the beach with some friends. They’d sipped cheap apple liqueur, listened to Billie Eilish on his boom box.…

Cryptocurrency  Bitcoin Then a Hacker Began Posting Patients’ Deepest Secrets Online

Cryptocurrency Bitcoin

Jere woke up on the morning of October 24, 2020, expecting what Finnish college students call normi päivä, an ordinary day. It was a Saturday, and he’d slept in. The night before, he had gone drinking by the beach with some friends. They’d sipped cheap apple liqueur, listened to Billie Eilish on his boom box. Now Jere (pronounced “yeh-reh”) needed to clear his head. He was supposed to spend this gray fall day on campus, finishing a group physics project about solar energy. The 22-year-old took a walk around the lake near his apartment outside Helsinki. Then, feeling somewhat refreshed, he jumped on the bus.

The day went quickly. Jere caught up with his friends, many of whom he hadn’t seen since the pandemic began. They chatted about their Christmas plans, ordered pizzas from a favorite local spot, and knuckled down to work in the cafeteria.

At around 4 pm, Jere checked Snapchat. An email notification popped up on his screen. His hands began to shake. The subject line included his full name, his social security number, and the name of a clinic where he’d gotten mental health treatment as a teenager: Vastaamo. He didn’t recognize the sender, but he knew what the email said before he opened it.

A few days earlier, Vastaamo had announced a catastrophic data breach. A security flaw in the company’s IT systems had exposed its entire patient database to the open internet—not just email addresses and social security numbers, but the actual written notes that therapists had taken. A group of hackers, or one masquerading as many, had gotten hold of the data. The message in Jere’s inbox was a ransom demand.

“If we receive €200 worth of Bitcoin within 24 hours, your information will be permanently deleted from our servers,” the email said in Finnish. If Jere missed the first deadline, he’d have another 48 hours to fork over €500, or about $600. After that, “your information will be published for all to see.”

Jere had first gone to Vastaamo when he was 16. He had dropped out of school and begun to self-harm, he says, and was consuming “extreme amounts” of Jägermeister each week. His girlfriend at the time insisted he get help; she believed it was the only way Jere would see his 18th birthday.

During his therapy sessions, Jere spoke about his abusive parents—how they forced him, when he was a young kid, to walk the nearly 4 miles home from school, or made him sleep out in the garden if he “was being a disappointment.” He talked about using marijuana, LSD, DMT. He said he’d organized an illegal rave and was selling drugs. He said he’d thought about killing himself. After each session, Jere’s therapist typed out his notes and uploaded them to Vastaamo’s servers. “I was just being honest,” Jere says. He had “no idea” that they were backing the information up digitally.

In the cafeteria, Jere grabbed his bag and told his friends he’d turn in his portion of the physics project the next day. On the bus ride home, he frantically texted his best friend to come over. Then his mother called; as the adult listed on his old account, she’d received the ransom note too. She and Jere were on good terms now, but if she got involved she might learn what he’d said in his sessions. Then, he says, he’d probably lose her from his life completely. He told his mother not to worry. That afternoon, he filed an online police report.

Jere poured himself a shot of vodka, then two or three more. He found his vape pen and took a Xanax, prescribed to him years earlier for anxiety. He’d stored a few pills in his bedroom drawer just in case, but he never believed he’d need them again. He passed out shortly after his friend arrived.

The next morning, Jere checked Twitter, where he was both horrified and relieved to learn that thousands of others had received the same threat. “Had I been one of the only people to get the mail, I would have been more scared,” he says.

Vastaamo ran the largest network of private mental-health providers in Finland. In a country of just 5.5 million—about the same as the state of Minnesota—it was the “McDonald’s of psychotherapy,” one Finnish journalist told me. And because of that, the attack on the company rocked all of Finland. Around 30,000 people are believed to have received the ransom demand; some 25,000 reported it to the police. On October 29, a headline in the Helsinki Times read: “Vastaamo Hacking Could Turn Into Largest Criminal Case in Finnish History.” That prediction seems to have come true.

If the scale of the attack was shocking, so was its cruelty. Not just because the records were so sensitive; not just because the attacker, or attackers, singled out patients like wounded animals; but also because, out of all the countries on earth, Finland should have been among the best able to prevent such a breach. Along with neighboring Estonia, it is widely considered a pioneer in digital health. Since the late 1990s, Finnish leaders have pursued the principle of “citizen-centered, seamless” care, backed up by investments in technology infrastructure. Today, every Finnish citizen has access to a highly secure service called Kanta, where they can browse their own treatment records and order prescriptions. Their health providers can use the system to coordinate care.

Vastaamo was a private company, but it seemed to operate in the same spirit of tech-enabled ease and accessibility: You booked a therapist with a few clicks, wait times were tolerable, and Finland’s Social Insurance Institution reimbursed a big chunk of the session fee (provided you had a diagnosed mental disorder). The company was run by Ville Tapio, a 39-year-old coder and entrepreneur with sharp eyebrows, slicked-back brown hair, and a heavy jawline. He’d cofounded the company with his parents. They pitched ­Vastaamo as a humble family-run enterprise committed to improving the mental health of all Finns.

For nearly a decade, the company went from success to success. Sure, some questioned the purity of Tapio’s motives; Kristian Wahlbeck, director of development at Finland’s oldest mental health nonprofit, says he was “a bit frowned-upon” and “perceived as too business-minded.” And yes, there were occasional stories about Vastaamo doing shady-seeming things, such as using Google ads to try to poach prospective patients from a university clinic, as the newspaper Iltalehti reported. But people kept signing up. Tapio was so confident in what he’d created that he spoke about taking his model overseas.

Dig Deeper with Our Longreads Newsletter

Sign up to get our best longform features, investigations, and thought-provoking essays, in your inbox every Sunday.

Top News

Popular Posts

To Top