Oleksiy Mark - Fotolia
Vastaamo, the Finland-based private psychotherapy practice that covered up a cyber attack on its patient record system in 2018 and then saw its patients directly extorted by cyber criminals, has collapsed into bankruptcy with its services to be acquired by medical services firm Verve.
The firm came to worldwide attention in the wake of the extortion attack in October 2020, in which cyber criminals threatened to leak personal data unless patients paid a bitcoin ransom of €200.
It subsequently emerged that the business’ former owner, Ville Tapio, who had sold Vastaamo to an investment company in 2019, may have been aware of the 2018 cyber attack but failed to disclose it. Assets belonging to Tapio and his family totalling €10m were seized in the initial investigation by the Finnish authorities.
The firm was subsequently placed into liquidation while attempting to continue its operations but “despite tenacious attempts”, this was not possible, and liquidator Lassi Nyyssönen of law firm Fenno has now filed for bankruptcy in the Helsinki District Court.
In a statement, representatives of Vastaamo said that high non-recurring costs and uncertainty caused by the cyber attack, coupled with its handling of the breach, had put such a strain on the business’ finances that it was no longer possible to continue.
“It is very unfortunate that it was not possible to avoid the bankruptcy of Vastaamo,” said Nyyssönen. “However, it is important that the sale of the business opens up a solution for customers and Vastaamo’s skilled personnel, with which they can continue their therapy and treatment with confidence.”
Nyyssönen added that the transfer of Vastaamo’s staff to Verve would provide a “stable framework” for its therapists and psychiatrists to continue their work.
Legal investigations into the data breach continue after it emerged at the end of January 2021 that the stolen database appeared to have been republished on the dark web. The firm said it deeply regretted the circumstances of this particular incident, although this will be little comfort to the patients who found themselves blackmailed.
Read more about the Vastaamo incident
- A hacker has directly contacted therapy patients to say their highly personal therapy notes will be put on the internet unless they pay the ransom.
- Private therapy practice Vastaamo faces questions over its security and business practices in the months leading up to one of the biggest data breaches in Finland’s history.
- The recent data breach at the Vastaamo Psychotherapy Centre in Finland shows threat actors are willing to threaten and extort patients directly, setting a dangerous new precedent.
Vastaamo is not the first business to collapse after a cyber attack proved too devastating to overcome – 2020 saw the demise of foreign exchange services company Travelex after a Sodinokibi ransomware attack – but such events are not common, said F-Secure chief research officer Mikko Hyppönen.
“It is actually very rare for companies to fold as a consequence of a data breach, no matter how severe the breach was in the first place,” he said.
“Organisations that suffered huge breaches in the past, such as Ashley Madison and Equifax, both recovered, and even SolarWinds looks like it is going to recover. But generally, companies survive getting hacked.
“The C-level executives may face the axe, but it is more than likely that companies recover with revenues and stock values rebounding eventually. Clinical organisations such as Vastaamo rely heavily on trust with their patients, if that trust is broken, it may have been too hard to recover from in this specific case.”