As a healthcare provider, you store a lot of personal information about your patients.
Most offices, when they welcome a new patient, require a variety of intake forms which generally include health histories, as well as previous diagnoses, treatments, and medications.
As a health care provider, you need to ensure this information is carefully protected, as leaks can result in everything from embarrassment to identity theft for affected patients, as well as fines, reprimands, and reputational damage for your practice.
Taking measures, such as having a security assessment done on your IT Systems is a great first step to finding gaps which could be exploited by bad actors, and getting them fixed up before you face a breach.
Let’s take a look at a case study of a psychotherapy centre in Finland who experienced a data breach that resulted in attempts to extort patients.
Details of The Vastaamo Breach
Therapists have to create a special level of trust with their patients.
People need to feel comfortable baring their souls, telling things they may never have told anyone else before.
So when hackers in Finland gained access to medical records including therapy transcripts, patients whose details were compromised felt a sense of shock.
Vastaamo is a company which runs therapy centres across Finland.
In October of 2020, news of a massive breach of Vastaamo’s internal systems came to light.
Records dating from November 2018 and March 2019, including information about four hundred employees and roughly forty thousand patients, were stolen.
Data stolen included not just government identity numbers and address information, but also notes from therapy sessions, as well as diagnosis information.
One patient was told to send €200 in bitcoin within 24 hours, and another €500 another 48 hours later to prevent personal information, including transcripts of her therapy sessions, from being leaked online.
One patient was told to send €200 in bitcoin within 24 hours
This patient said although she doesn’t feel ashamed about using a therapist, she worried because the hackers had enough information to commit identity fraud.
Another patient commented on how the breach not only affects him but also his wife and children, because he has discussed details relating to them in his therapy sessions.
The unidentified criminals, known as “RANSOM_MAN” also attempted to extort bitcoin payments from Vastaamo directly, stating they would publish the personal data of up to one hundred people every day on their Tor file server until they received the demanded bitcoin.
The Vastaamo case is considered unusual, and rather frightening, in regard to the fact that the extortionists went after individual patients, including some children. In most ransomware cases like this, they stick to only trying to blackmail the corporate source of the information.
Vastaamo is now under investigation, and Marko Leponen, an investigator with Finland’s National Bureau of Investigation has stated the system’s security “wasn’t at the level needed to secure the system” at the time of the breach.
Due to the vulnerabilities within the system, it’s possible much more data was compromised than officials are currently aware of.
What Does This Mean For You, As A Health Care Provider?
As a health care provider, you likely have a lot of private information about your patients on file.
And your clientele has an expectation that anything you store on them is going to be well protected against loss and theft.
While your files may not contain anything as personal as records from therapy sessions, the information you do have can still tell a lot.
For instance, a medical history might reveal a patient is on medications for depression and anxiety, taking pre-exposure prophylaxis drugs to reduce their risk of contracting HIV/AIDs, or undergoing other treatments for medical conditions which they don’t want the world to know about.
Protecting Your Patient Data Is Important For Your Business’ Professional Reputation
Some tips which can help you protect your patient data include:
- Get help from a certified cybersecurity professional, not just an IT provider.
- Encrypt all files which contain personnel identifiable health information (PII)
- Ensure you’re using security and IT software which has been tried and tested; in the case of the Vastaamo breach, they used bespoke software which was developed in-house.
- Regularly conduct cyber security audits to identify any weaknesses in your systems
- Implement and enforce policies regarding password management
- Have policies in place in case a breach does occur so you’re not scrambling at the last minute to figure out your responsibilities under the law
- Back up data regularly
- Consider purchasing cybersecurity insurance
A cybersecurity breach can have grave ramifications for your reputation and may result in fines for your business. Taking measures to prevent issues before they occur is always within your best interest.
The Vastaamo breach should be considered a cautionary tale for anyone who stores personal information of their clientele, health related or otherwise.
If reading this sent a chill up your spine, then take that as a sign it’s time to reexamine your cybersecurity procedures.
Whether you’re looking for cybersecurity awareness programs for your team or someone to perform a cybersecurity audit to help you find the vulnerabilities in your current setup, Im here to help.
Contact me today to discuss what can be done to find and fix your security gaps.