Then a Hacker Began Posting Patients' Deepest Secrets Online

May 04, 2021 at 11:00

Jere woke up on the morning of October 24, 2020, expecting what Finnish college students call normi päivä, an ordinary day. It was a Saturday, and he’d slept in. The night before, he had gone drinking by the beach with some friends. They’d sipped cheap apple liqueur, listened to Billie Eilish on his boom box. Now Jere (pronounced “yeh-reh”) needed to clear his head. He was supposed to spend this gray fall day on campus, finishing a group physics project about solar energy. The 22-year-old took a walk around the lake near his apartment outside Helsinki. Then, feeling somewhat refreshed, he jumped on the bus.

The day went quickly. Jere caught up with his friends, many of whom he hadn’t seen since the pandemic began. They chatted about their Christmas plans, ordered pizzas from a favorite local spot, and knuckled down to work in the cafeteria.

At around 4 pm, Jere checked Snapchat. An email notification popped up on his screen. His hands began to shake. The subject line included his full name, his social security number, and the name of a clinic where he’d gotten mental health treatment as a teenager: Vastaamo. He didn’t recognize the sender, but he knew what the email said before he opened it.

A few days earlier, Vastaamo had announced a catastrophic data breach. A security flaw in the company’s IT systems had exposed its entire patient database to the open internet—not just email addresses and social security numbers, but the actual written notes that therapists had taken. A group of hackers, or one masquerading as many, had gotten hold of the data. The message in Jere’s inbox was a ransom demand.

“If we receive €200 worth of Bitcoin within 24 hours, your information will be permanently deleted from our servers,” the email said in Finnish. If Jere missed the first deadline, he’d have another 48 hours to fork over €500, or about $600. After that, “your information will be published for all to see.”

Jere had first gone to Vastaamo when he was 16. He had dropped out of school and begun to self-harm, he says, and was consuming “extreme amounts” of Jägermeister each week. His girlfriend at the time insisted he get help; she believed it was the only way Jere would see his 18th birthday.

During his therapy sessions, Jere spoke about his abusive parents—how they forced him, when he was a young kid, to walk the nearly 4 miles home from school, or made him sleep out in the garden if he “was being a disappointment.” He talked about using marijuana, LSD, DMT. He said he’d organized an illegal rave and was selling drugs. He said he’d thought about killing himself. After each session, Jere’s therapist typed out his notes and uploaded them to Vastaamo’s servers. “I was just being honest,” Jere says. He had “no idea” that they were backing the information up digitally.

In the cafeteria, Jere grabbed his bag and told his friends he’d turn in his portion of the physics project the next day. On the bus ride home, he frantically texted his best friend to come over. Then his mother called; as the adult listed on his old account, she’d received the ransom note too. She and Jere were on good terms now, but if she got involved she might learn what he’d said in his sessions. Then, he says, he’d probably lose her from his life completely. He told his mother not to worry. That afternoon, he filed an online police report.

Jere poured himself a shot of vodka, then two or three more. He found his vape pen and took a Xanax, prescribed to him years earlier for anxiety. He’d stored a few pills in his bedroom drawer just in case, but he never believed he’d need them again. He passed out shortly after his friend arrived.