Hacked - The Place Where You Get Answers From
Episode Date: May 25, 2021Jordan Bloemen & Scott Francis Winder discuss the saga of Vastaamo, and what happens when some of the most sensitive data imaginable finds its way into the wrong hands. If you like the show and want ...to make sure we can keep making it, please subscribe and if you can visit https://www.patreon.com/hackedpodcast and show us some love. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
An update now on the Colonial Pipeline ransomware attack.
The Colonial Pipeline experienced a cyber attack.
NBC News has learned Colonial Pipeline paid nearly 5 million in ransom to hackers who infiltrated their systems.
This is about a ransomware attack, but not the one you've been hearing about.
And it concerns a Finnish startup called Vostamo.
On September 28th of last year, a guy named Vile Tapio,
CEO of Vestamo gets a ransomware demand, 40 Bitcoin, which at the time was roughly half a million
bucks U.S. for the hacker to delete the data that they had stolen from Vostamo.
You see, some ransomware extracts money by encrypting the victim's data, and they'll only
unlock it once the ransom is paid. Some ransomware extracts money by crippling an essential system
that they'll only unlock once the ransom is paid. We heard about one of those this month.
But this was the other kind of ransomware attack.
They had stolen a copy of the victim's data, Vostamo's data,
and they were going to leak it unless the ransom was paid.
The only way that a ransomware attack like this works is if that data is really private,
or incriminating, or sensitive in some way.
Which brings us to what this company Vostamo did,
and what information had been stolen.
Tapio ultimately declined to pay the ransom.
There's always this devil's bargain whenever you pay any kind of ransom
that you've really got no proof that the person's going to do
what they said they're going to do once they get the money.
And when Tapio refused to pay,
the hacker decided to move on to a new victim,
to the users of Vestamo,
whose data was contained inside that leak.
Vestamo is finished for the place where you get answers from,
and those answers had to do with some of the biggest questions that people ask.
because Vastamo was a digital therapy company.
And the data that was stolen was records from thousands of therapy sessions,
not just patient names, but actual notes from the sessions.
Transcriptions of people's most vulnerable secrets and personal confessions and innermost thoughts.
And now this hacker was reaching out to them directly with a much more personal threat.
this is what happened to the place where you get answers from.
Here on Hacked.
Yo, that's scary as fuck.
Oh, the story is actually like spooky as shit.
Like, like low key, like high key, maybe the shittiest thing about like personal health services going online.
Yeah, it's been an interesting year for health services going online.
Yeah, for sure.
There's been a lot of it.
if you were doing IT or security in digital health,
like 10,000 foot view,
like how would you be thinking about it?
Like, what would your top level priorities be?
Well, security would be,
I don't even know how you would,
like I would probably be encrypting all data locally.
Because any of those, like,
you wouldn't be saving anything in unencrypted form
and you'd have relatively comprehensive.
encryption measures to get access to it because it's like those are bloody health records,
you know, and not even health records, they're mental health records, which I actually argue
were probably more sensitive. When I was listening to the intro, all I was thinking about was
how in God's name to the insurance company that ensures this company not pay the ransom,
because I can't see how this doesn't just end in the most ridiculous amount of lawsuits if this stuff
does start leaking.
Yeah, a ridiculous amount of lawsuits is some good foreshadowing.
So in Finland, they've used this system since 2014.
When the Finnish Parliament decided to break medical information systems into two different
categories, Class A systems would connect with the National Health Data Repository, the system
called Kanta.
And if you wanted to connect to Kanta, you had to meet these really, really strict security
and compatibility standards.
If you're going to be keeping patient records digitally for any amount of time,
you had to use the Class A system.
And I imagine just from like a cybersecurity perspective that there's a lot of benefits
to a centralized system like that.
You could maintain standards across the whole system just by changing Kanta.
It becomes kind of a bottleneck for however secure or unsecure the whole system is, right?
Right.
So that's Class A.
Smaller organizations, like a little like acupressure clinic,
that keeps filing cabinets full of literal paperwork.
They got to use this other system.
It's much less intense, smaller system
for any digital records that they had
called the Class B system.
And the Class B system isn't really tightly regulated
because it's kind of like small fish.
It's not a big target for hackers.
Which is the context for digital health
when this company, Vostamo, comes onto the scene.
In 2009, the Finnish Innovation Fund decides
to give $12,000 to a guy named
Vile Tapio to start this company. Tapio grew up in Helsinki during the recession,
starts learning code when he's like 10 years old and his parents give him a Commodore 64,
starts a couple of businesses and he eventually finds himself at the Finnish Innovation Fund
working on a project that has him touring around Western Europe doing analysis of different
healthcare systems around the continent, which is when he starts thinking about this idea
of mental health. In Finland at the time, mental health services weren't very good.
There were some whole areas where there was just blackouts of coverage.
you couldn't find a provider.
And then he goes on this tour and he sees other countries,
the Netherlands in particular, represent,
just absolutely crushing it when it comes to mental health.
So he starts to wonder,
is this something where like a digital service could help?
Telehealth, as it's sort of been known for a long time,
has been around in some way or another for quite a bit.
It's actually pretty well established here in Canada where we're from.
But modern digital telehealth is a pretty new idea in 2009.
And it seems like a pretty good fit for an area of medicine where, like, you don't need to physically interact with the patient as much.
It's a pretty good thing to digitize first.
So in 2009, he secures a grant from this innovation fund, raises like another 13K from his parents, and he boots up this social enterprise.
And he calls it Vostamo.
Finish for the place where you get answers from.
And the idea is pretty simple.
clients can send a message to Vostamo
and in less than 24 hours
a real therapist reaches out and starts a session with them
but the thing about therapy
is that there are parts of it and certain patients
for whom like a Zoom call is just insufficient
and it pretty quickly became clear
that this wasn't going to be comprehensive for a big operation
for everyone that was happy with telehealth
there's a lot of people that want an in-person experience
so Vostamo starts expanding into physical locations
but all built on that like
tech forward infrastructure they designed for the digital service.
Essentially, Vostamo was going to digitize whatever they could about therapy from
booking an appointment, making invoices, and really importantly, the medical records from
the sessions. Everything but the appointment itself was going to be on this central Vostamo database.
The idea is that independent therapists join Vostamo to get access to this great platform
and to avoid dealing with all of the junk involved in like,
running a clinic. All the automation means they spend more time with clients and they bill way more
hours. But in order for all of that to work, Vostamo needed an electronic medical record system.
And classic kind of tech startup, he didn't like any of the ones that existed. To his mind,
the absence of good digital software for therapists was probably why most therapists were still
using paper.
And that kind of a big hole in the market represents a really good business opportunity.
So he cooks up his own.
It launched in late 2012 right around the same time as Vostoma's first in-person clinic
opened in the Malma district of Helsinki.
Court documents filed later in this whole story during the Schmorgas Board of lawsuits
you mentioned earlier, suggests that the system was browser-based and store patients' records on
something called an SQL server.
What's an SQL server?
SQL is a simple query language.
It's pretty much the foundation for most modern database systems.
So all your big oracles, Microsoft SQL, SQL, Postgres, tons of the big
databasing servers all use SQL implementations.
And it's essentially just a big, just think of like a bunch of Excel spreadsheets that
computers know how to like dig through quickly.
If there was one feature that you would build into a system that does that,
but most importantly stores patient files,
and we talked about this a little bit,
but what would that one single feature be?
If I was storing confidential patient records,
I would be doing something to obfuscate the values inside of those records,
be it encrypting them, hashing them, something.
to make sure that they're not just plain text,
which I have a gut feeling is where we're going.
Postamo system did not do two things.
It did not anonymize records,
and it did not encrypt them.
So the only thing standing between you and the patient files,
again, like therapy session files,
was a server login screen and a handful of firewalls.
I have never designed a system to try and protect medical files.
But from just like a bird's eye design level, that feels really, really wanting to me.
Wanting?
Well, I'd say you'd be surprised at what is stored in unobfuscated SQL tables around the internet.
This is just, this isn't surprising to me, I guess is what I'll say, is pretty much anything you've ever put into any kind of form anywhere on the internet is probably saved in an SQL file somewhere.
and the gaining access to SQL data,
like we've talked about this in previous episodes
with like Ashley Madison and stuff,
you know, there's an entire subsect of hackers
who kind of know and go after figuring out ways
to essentially extract extra information out of SQL servers
through web applications,
so you can figure out ways to put in false codes,
figure out how it's pulling, you know,
Ajax calls from the website, so the website's loading data in real time, things like that,
so you can try and intercept those and try and extract out as much stuff as you can from these
SQL tables. And often the tables are relatively commonly named, you know, users, etc.
So the, yeah, it's, it's, I would say a common security problem these days
is having a lot of very sensitive information stored inside of an SAC.
SQL server that is then connected to a server that is on the open worldwide web and accessible from anywhere in the world.
Not many places have comprehensive DMZs, so demilitarized zones, so you can have multiple firewall structures
so that you can actually bury your SQL servers behind layers of firewalls,
only allowing specific connections to be authorized coming through from specific computers.
There's lots of ways to try to secure it,
but at the end of the day, the web application still needs access to that SQL server.
And if you can hack the web application or hack the APIs that it's using to call the data from those servers,
you can get access to that data.
So if remember back at the start, there are those two medical file class systems in Finland, right?
There's Class A and Class B.
Class A plugs into that centralized system.
called Kanta and Class B doesn't.
And I got curious about how Class B worked.
And the way it works is Class B operators
would essentially self-certified of the government
that their setup met certain requirements.
And the government would say,
thanks for letting us know.
And the government who is overseeing this Class B system
was, at the time, one man,
named Antiharkonan,
whose dominion includes every single Class B system
in Finland, over 280 individual
systems. And that seems like too many for one guy. But class B is for small paper-based
operations, right? Not a pretty big network of digital health care providers. And in the fallout
of all this, there's been some dispute as to why Vostamo, who operated a bunch of different
therapy clinics, never switched over to Class A. In what is in retrospect a very ironic
argument, Tapio, the CEO, has argued that Class A was not secure enough for therapy records
in that other physicians could easily access those sensitive session records.
Canza, that Class A system has replied, that's not true.
But the way this all shakes out is that by 2018, when this kind of starts to fall apart,
Vestamo is still registered as a Class B operation that is, quote, eager to be upgraded
to Class A once the spec for psychotherapy comes out, which it did.
and Vostamo continued to not adapt.
They just kept chugging along with their firewalls
and their server login page,
and allegedly not a drip of encryption on their side.
During this rise, he's quoted as saying
that Fuland's supervisor authorities signed off
on Vostamo's security system, quote, numerous times.
That supervising authority was the one guy, Harkonen,
overseeing 280 systems,
who was said since then
that it would be functionally impossible
to sign off on all of these things in a meaningful way.
He's also unpacked what that sign-off process actually looks like.
And it's, well, it's what I said.
It's basically Vistamo submits a self-certification that their SQL server is secure.
Harkkonen signs off on it, rinse and repeat for every single new clinic.
Is it secure?
Yeah.
Cool.
Is self-certification like, like, have you heard of anything like this?
Is that common for some sort of overseeing board to just ask if something is secure
and accept the argument that it is sort of carte blanche?
I don't think I know of any major certification board that allows you to just vouch for yourself,
especially something as sensitive as health records.
But I've heard of things like this in other categories where you kind of just self-proclaim that you adhere to rules.
I feel like, I don't know, I feel like we do this a ton these days in COVID.
We're always telling everybody that we don't have fevers and headaches and stuff,
and we're kind of not being tested for it.
But I've never heard about it on like a large security scale.
By 2018, Vastamo had grown to the point where they were drawing interest from like private equity firms,
one of which would go on to buy the company, making the CEO Tapio very, very wealthy.
And the name of the company that bought Vastamo is called Interim.
and you should remember that name because they'd come up again later.
At this point, Osama was operating nearly 20 clinics,
employing around 200 therapists and staff.
By the end of 2019, their annual revenue had risen to more than 18 million bucks.
And with each new clinic came more patients
whose data was flooding into this system,
this unencrypted, unanonomized system.
Global note, the words alleged must now precede everything that follows
from this point. And who is alleging is not always the same. Tapio claims he first heard from the
hacker on September 28, 2020, when the 40 Bitcoin demand came in. The message came to him and a pair
of developers that he'd hired in 2015, the last two big characters in this saga, Elari Lind and
Sammy Kaskinnon. Lind and Kaskinnon were responsible for data protection and maintaining the company's
IT systems, including those servers and firewalls.
So September 28th, 2020, this ransomware demand comes in.
And according to a statement made to the Helsinki District Court, Tapio immediately
notifies the cops and the government.
Lind, one of those two security professionals, starts sifting through Vostamo's network
traffic logs, but reports finding no evidence of a hack.
And it's here that we, kind of the public, hear from our hacker.
for the first time.
When they write, quote,
we have attempted to negotiate with Vela Tapio,
the CEO of Estamo,
but he has stopped responding to our emails.
That's a post that appears on the morning of October 21st
on an anonymous discussion board.
So, their plan, states the hacker,
is to leak 100 patient records a day
until they get their 40 Bitcoin.
The first of such leaks was already available
for anyone to read on a linked Tor server.
100 patient files for,
from therapy sessions.
I just want to pause for two seconds.
40 bitcoins was their demand.
Yes, but a half a million bucks at the time.
U.S.
That seems pretty negligible
for what I assume the greater liability value is.
And for the amount of money
that ends up being unraveled by this,
I would agree.
So the hacker then reaches out to a journalist.
They email this journalist,
and the hacker says they have this database.
They've had it for 18 months before they realized what they found.
18 months.
He also passes judgment on Vestamo for storing this information
in the way that they had.
He called them the real criminal, which I don't know.
There can be more than one, but I take his point.
Up until this point, the flow of money and information is like,
it's relatively simple, right?
The hacker stole the database.
He's asking Vestamo for the money.
And according to his correspondence with the journalist, Tapio, the CEO of the company, refuses.
So the hacker is sitting on all this data, and he's promised to leak it 100 files at a time,
but the company doesn't really seem to give a shit.
So, like, what's his next move?
He keep leaking it, but if they don't care, they don't care.
I think your moral code would probably preclude you from finding yourself in the situation that this hacker is in.
But if it didn't, what would your next move be, Scott?
All gas, no breaks, I guess.
And at some point, the hacker comes up with his new idea,
a very gas, no breaks kind of idea.
And I think I know when he comes up with it.
After the conversation had migrated over to a forum on the dark web,
there's this post where a person, one of the patients,
whose information is inside this database,
makes an offer to the hacker.
The patient offers to pay the entire ransom.
Whoa.
40 Bitcoin, half a mill, I know.
just to keep his therapy sessions private.
The company of Estamo, they're not budging,
but a bunch of patients start flooding in with offers to pay the ransom.
Sure.
One of them wrote, and he's finished writing in English,
so I'm going to auto-fill the sentence for him.
Quote, I have discussed very private things with my therapist,
and I will literally kill myself if they are released.
I can send it in minutes.
I'm constantly refreshing this page.
Could you imagine the level of anxiety?
No. It's hard to wrap your brain around it. Knowing what some people would be discussing with a therapist and that comes up a bit later, no. I have no idea what these people were going through.
That's like honestly scary. Over the days and weeks that follow, if we refer to the hacker's Bitcoin wallet, all in about 30 payments were made from different patients. There's no evidence in either direction to suggest that the hacker,
who at this point is now going by the name Ransom Man,
ever deleted any of the data.
But I think here, seeing the sensitivity of this information,
the value that it had to people,
and the desperation they felt that Ransom Man comes up with this idea,
to start contacting individual patients.
First, Ransom Man drops another 100 patient records,
just like they promised.
And this batch includes politicians,
some famous Finnish people,
and it covered subjects like adultery
and suicidal ideation and pedophilia.
Shortly after, right after giving a taste of how nasty
some of this stuff was,
ransom man starts reaching out to patients themselves.
I was curious about this.
Apparently this doesn't happen very often
in ransomware attacks at all,
where the hacker will delve into the data set
and start contacting individual people implicated in the data dump.
It's pretty rare.
In 2019, there was a similar incident at a plastic surgery clinic,
but since Vistamo has happened twice,
and that's overall only four data points,
but it feels like it's accelerating a little bit.
And I imagine that's the kind of thing where the more it works,
the more it's going to happen.
Totally.
Like Ransomar itself.
If you were in Vestamo's position,
and you've said,
no, I will not pay,
and now the hacker is going to individual patients,
what is your move?
I don't know if anybody really has a move, right?
They've essentially seeded all the power to the hacker at this point.
Like, people are throwing money at him to patch the problem,
which is only probably, you know,
supporting his argument that he has something of value
that somebody should be paying him for.
But the other problem is that there's no way that you can ever know
that he's deleted it and won't just do this again.
So nobody has any forms of protection.
Like, you know, in the classic ransom, you know,
there is a child involved.
you know there's a real human that gets passed around in the in the traditional you know
quintessential ransom case but in a data case you can make duplicates and copies
like there's no way to guarantee that there's a there's not you know a million other copies of
this stuff sitting in the cloud somewhere so you have no certainty like really the only
certainty would be full bone busting the person who's doing it and everyone they're associated with
and hoping that you get as much of the data
locked down and like, you know, kind of re-secured.
Like you find as many of the data stores
that they are probably keeping it on as possible.
So I think that really your best move
is probably just to lean into a criminal police solution
because I don't think that there's really anything
that's going to protect you otherwise.
Vostamo's big PR play in response to all of this,
was to offer patients one free counseling session.
According to William Ralston's coverage on this,
one patient says that their therapist advised her to consider
that not everything being said in the news was true.
Some patients got nervous and started trying to get physical copies of their records
to figure out what had been leaked or what might be leaked.
Victim support Facebook groups started popping up.
But the Monday that follows, a couple of things happened
all at once.
Tapio, the man who founded the company back in 2009 with 20,000 bucks, was fired a CEO.
A few hours later, the equity firm and Terra that bought the company filed a motion,
seizing just shy of 12 million bucks from the Tapio family, roughly what they paid for their share in the company.
Which is when the question of who was really responsible for all of this came to the forefront.
And we are going to get to that right after the break.
So wait, before we go, everybody's immediate thing was to pull as much money as they
humanly could out of the company before it eventually shut down.
That's what everybody kind of did.
That's a, that is some risk mitigation right there.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora superintelligence platform, a fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trust for.
And all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries.
human analysts. Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven decision
reflects your environment instead of generic assumptions. The automation frees your concierge security
team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy production
ready AI and security operations actually looks like, go to arctic wolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected and cybersecurity teams
were tested like never before, but here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving to the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights in how threat actors are evolving,
how defenders are responding,
and what strategies can help you stay ahead of the next big breach.
It's not fear mongering.
It's practical, actionable, intelligence
from experts in the trenches.
Register now at arcticwolf.com
slash hacked.
I want to go back a little bit
to those two security professionals
who worked at Vostamo,
Lind and Kaskinnon.
Last year, I watched
the Chernobyl HBO miniseries.
Did you watch that?
Of course I did.
Who didn't watch that?
It's really, really good.
And it taught me that when something explodes,
literally or figuratively,
the very first thing that happens
as everyone takes out their pointer finger
and they start frantically aiming it
at everyone that isn't them.
And the three players in this drama all do that.
They are.
In Terra, the big company that bought Vostamo,
who is pointing the blame at Tapio,
the founder and now ex-CEO,
who is himself pointing the blame
at Lind and Kaskinnan,
the two security professionals.
And if shit runs downhill,
Linde and Kaskinen are at the very bottom of that hill.
In Terra's argument is that their entire purchase of Vestamo is null and void, and they want their money back.
Because, as they outline in their filings, by the time they bought Vestamo, the breach had actually already occurred, and they hadn't been told.
They say in the filing, quote, based on the information received so far, it is reasonable to assume that Vela Tapio was aware of the breach.
They also claim that, quote, he sought to conceal those alleged attacks, which is the foundation of Interra's argument that they should be able to dissolve the transaction and get their money back.
To remind you of our timelines, the story seems to kick off in 2020 when that ransomware message first comes in.
But at this point, the hacker claims they've already had these files for 18 months.
This is what they told that journalist.
Intera, who is suing Tapio, claims that therefore there must have been a breach that they were not aware of.
in 2018 and 2019.
This would line up with the hackers' claim that he'd had the patient files for 18 months.
If Tapio knew about the breach,
knew that patient files had been stolen for 18 months but kept it a secret,
this is what Interra's lawsuit alleges.
But according to Tapio, that first breach, when the files were probably stolen,
he says he didn't know about it,
and he points the blame firmly at Lyndon Kaskinnan.
And the reason why he claims is because Lind and Kiskinin did not tell him.
The security firm Nixu that Vestamo hired to investigate found that that first breach in 2018,
where the files got taken, was accompanied by a blackmail message,
some piece of text that made very explicit that the crash was the result of a hacker
and that some data had been compromised.
And according to that research firm, someone with an administrator account deleted that message.
The question is who controlled the account that deleted the post.
The post that would have blown up this multi-million dollar deal with Intera.
At the time, Tapio claims that Lindigaskinin told him the crash
could have been caused by some small network adjustments.
Tapio claims that Lindquenenkinin controlled that account,
and that if someone deleted this blackmail message,
the one that came in 18 months earlier, it must have been them.
And the reason he argues,
that they did this was to conceal a vulnerability that they had created,
one that left Vostama's patient databases without firewall protection for over a year.
That is Tapio's story, and he is sticking to it.
And so far in all of this, Lind and Kaskinan are kind of a blank slate, right?
We don't really know much about them.
They're two security professionals getting blamed for this massive failing of security.
Kind of makes sense.
But there's this one important detail about them that,
may or may not be relevant to all this,
which is that just before they joined Vostamo,
they'd been arrested as part of a giant security breach
at the Finnish funding agency for technology and innovation.
They'd figured out that they could download
this database of all these companies
by changing a URL on a funding application.
They downloaded it.
They got caught.
There was a pretrial investigation
for aggravated fraud breach of confidentiality and burglary.
The prosecution couldn't totally,
totally figure out that they'd done it for financial gain or just because they realized they
could. So it all kind of faded away. And now this pair finds themselves again in a room full of people
all pointing fingers at each other with a lot of those fingers pointed squarely at them.
So we're left here. And Terra says Tapio knew. Tapio says he didn't know and that Lindy Kaskinin
two pretty good fall guys as fall guys go had covered.
it up, and Lyndon Kaskinnan have said nothing.
A $12 million fortune remains frozen until this lawsuit is resolved,
and all of those patients, their information is still out there.
I'm captivated, Jordan.
I need to know what happens to these poor people's information.
Oh, man, you're not going to like it.
Yeah, I figured.
On January 28th, Fustoma was put into liquidation,
and it filed for bankruptcy two weeks later.
In early March, its staff and services were transferred over to this other company called Verve,
who provides occupational welfare services.
Verve did not acquire Vostamo's consumer data,
and Verve is going to be using a Class A system.
The scandal sparks a couple of changes in Finland,
some of them really tangible and some of them more abstract.
Finnish parliament passed legislation basically overnight
that would allow victims to change their social security numbers
in the event of a major breach,
which I don't know if we have that over here,
but that seems like a very good idea.
There are debates about whether,
even in a Class A system,
if therapy records should be stored
on any kind of a central database,
if that data has any reason at all
to ever leave a consultation room.
But I think that until some kind of a scalable,
secure platform exists,
more enterprising individuals are going to keep cooking up their own
and more stuff like this is going to keep happening.
Because 48 hours before the final nail was put in the coffin of Vistamo,
a compressed, more easily shareable version of the entire Vistamo patient database
appeared on a dozen file sharing sites.
It is still out there floating around like every other leak ever,
but somehow also very, very different.
That's a pretty broad questionnaire about digitization of health records at all,
especially mental health records.
You know, I think that's something that we're...
I think we're giving a pass to how insecure paper records are
because they're physically bound
where the internet, you know, the internet's the internet.
The reason why e-commerce is such a big business
is because you can have a purchaser from anywhere in the world.
And, you know, there might not be a local burglar
who's going to break in and steal your paper patient records.
But when you look at 7 billion people
versus how many you ever live in the tiny finished town you're from.
There's bound to be a hacker in the $7 billion
that will burgle your private data.
I think that's where we need to go
is we need better encryption systems at a mass level.
Like when a doctor needs to access a patient health record,
that health record should be completely key encrypted
until unlocked by the doctor's key.
And I think that we need better solutions like that
to further and kind of figure this out.
You brought up Ashley Madison earlier,
and I was intrigued by this
because I remember when Ashley Madison happened,
and it felt like a website about infidelity
having a data breach would be about the most vulnerable thing
a person could have come out about them.
And this just blew that out of the water.
Yeah.
Like the contents of a therapy session
are such an order of magnitude more sensitive
than anything in my email
or my social media or probably like a camera roll.
And the trouble is that people don't need a site
for finding people to have affairs with.
But a lot of people need therapy.
People need medical treatment however they can get it.
And if digital is how they can get it right now,
then we have some stuff to figure out very, very quickly.
I now know more about how this is,
legislated in Finland than I do in my own country. And I imagine that's probably true for most
listeners. And that's worth changing because people are always going to need that place to go get answers.
They're always going to need a Vestamo. But Vestamo ain't how to do it.
Thanks for listening, everybody. Attention. All Michelle Kisers and David Gidley's.
Thanks for becoming our newest patrons on Patreon. That's cool as hell of you.
It's the best way to support the show and it means a lot to us. If you haven't,
You can also rate and subscribe on your podcast app of choice.
It also goes an incredibly long way towards getting the show in front of new folks so we can keep making more.
Our main source for this episode was William Ralston's fantastic reporting on the subject.
There's a lot that's been written about this, most of it in Finnish, but Ralston's writing really synthesized all of it beautifully.
I guess the other thing I want to end with is just maybe a shout out to randomly bumping into one of our fans, IRL, at the sandwich shop the other day.
So, you know, good looks, and thanks for being a fan.
Thanks for listening. Catch you on the next one.