Vastaamo, the Finland-based private psychotherapy practice that covered up a cyber attack on its patient record system in 2018 and then saw its patients directly extorted by cyber criminals, has collapsed into bankruptcy with its services to be acquired by medical services firm Verve.
The firm came to worldwide attention in the wake of the extortion attack in October 2020, in which cyber criminals threatened to leak personal data unless patients paid a bitcoin ransom of €200.
It subsequently emerged that the business’ former owner, Ville Tapio, who had sold Vastaamo to an investment company in 2019, may have been aware of the 2018 cyber attack but failed to disclose it. Assets belonging to Tapio and his family totalling €10m were seized in the initial investigation by the Finnish authorities.
The firm was subsequently placed into liquidation while attempting to continue its operations but “despite tenacious attempts”, this was not possible, and liquidator Lassi Nyyssönen of law firm Fenno has now filed for bankruptcy in the Helsinki District Court.
In a statement, representatives of Vastaamo said that high non-recurring costs and uncertainty caused by the cyber attack, coupled with its handling of the breach, had put such a strain on the business’ finances that it was no longer possible to continue.
“It is very unfortunate that it was not possible to avoid the bankruptcy of Vastaamo,” said Nyyssönen. “However, it is important that the sale of the business opens up a solution for customers and Vastaamo’s skilled personnel, with which they can continue their therapy and treatment with confidence.”
Nyyssönen added that the transfer of Vastaamo’s staff to Verve would provide a “stable framework” for its therapists and psychiatrists to continue their work.
Legal investigations into the data breach continue after it emerged at the end of January 2021 that the stolen database appeared to have been republished on the dark web. The firm said it deeply regretted the circumstances of this particular incident, although this will be little comfort to the patients who found themselves blackmailed.
Vastaamo is not the first business to collapse after a cyber attack proved too devastating to overcome – 2020 saw the demise of foreign exchange services company Travelex after a Sodinokibi ransomware attack – but such events are not common, said F-Secure chief research officer Mikko Hyppönen.
“It is actually very rare for companies to fold as a consequence of a data breach, no matter how severe the breach was in the first place,” he said.
“Organisations that suffered huge breaches in the past, such as Ashley Madison and Equifax, both recovered, and even SolarWinds looks like it is going to recover. But generally, companies survive getting hacked.
“The C-level executives may face the axe, but it is more than likely that companies recover with revenues and stock values rebounding eventually. Clinical organisations such as Vastaamo rely heavily on trust with their patients, if that trust is broken, it may have been too hard to recover from in this specific case.”