Therapy Sessions for Sale: How Mental Health Records Became Ransomware’s Most Valuable Loot

A stolen credit card sells for $5 on the dark web. A Social Security number on its own goes for about a dollar. A complete medical record — names, diagnoses, prescriptions, insurance details, treatment history — sells for $260 to $310 each, ten times the value of any financial credential. And at the very top of the medical-record value pyramid sits one specific category that ransomware operators have been actively targeting throughout 2025 and 2026: behavioral health and psychotherapy data.

Mental health records carry a triple-extortion premium. They contain everything a standard EHR contains — PII, SSNs, insurance — plus clinically detailed disclosures about substance abuse, sexual behavior, family conflict, suicidal ideation, psychiatric diagnoses, custody disputes, infidelity, and trauma history. That second layer is exactly the leverage a competent extortionist needs to bypass the company entirely and squeeze individual patients for ransom — which is precisely what happened to Vastaamo’s 36,000 Finnish patients in 2020, and what threat researchers expect to see at scale in the United States within the next 18 months.

The Breached.company signals intelligence team has been tracking the surge in attacks against behavioral health targets across 2025 and into 2026. The pattern is alarming. The defenders are not winning. And the playbook the attackers are running was openly demonstrated five years ago by a single 25-year-old in Helsinki.

The Vastaamo Reference Architecture

Every threat-intel briefing on mental health data extortion eventually returns to Vastaamo. It is the canonical case — both because of how completely the attack worked and because of how clearly it telegraphed what every subsequent attacker would attempt.

Vastaamo was Finland’s largest private psychotherapy provider, operating 25 clinics across a country of 5.5 million people and acting as a sub-contractor to the Finnish public health system. The company had built a custom EHR — browser-based, MySQL backend — instead of using a validated industry-standard system. The database storing patient records was not encrypted at rest. It was not anonymized. The system root account had no defined password. The therapists’ user-end passwords used to remotely access the system were weak.

Aleksanteri Kivimäki, then in his early 20s, breached the database in November 2018 and maintained access through March 2019. The intrusion was not detected. The data sat in his hands for a year and a half before he made his move.

On September 28, 2020, Kivimäki contacted CEO Ville Tapio with a ransom demand of 40 bitcoin (roughly €450,000 at the time). Vastaamo refused to pay. So Kivimäki executed the playbook that has now become standard:

Phase one — pressure the company. He posted batches of patient records to a Tor message board, releasing 100 records per day, including those of politicians, police officers, and children. The leaked notes contained references to adulterous relationships, suicide attempts, and pedophilic thoughts.

Phase two — go directly to the patients. When the company still refused, Kivimäki sent extortion emails to roughly 30,000 individual patients demanding €200 in bitcoin per person, with the demand doubling to €500 if not paid within 24 hours.

Phase three — full dump. On October 22, 2020, the entire psychotherapy record database was leaked to the dark web — patient PII, SSNs, addresses, phone numbers, emails, doctors’ notes, and verbatim transcripts of therapist-patient conversations.

The downstream damage was catastrophic. Patient suicides were reported. Vastaamo was declared bankrupt in February 2021. Its staff and services were transferred to another provider; the patient database was deliberately not transferred. Ex-CEO Ville Tapio was eventually given a three-month suspended sentence under GDPR. Kivimäki was extradited from France to Finland in February 2023, charged with over 21,000 counts of extortion in October 2023, and sentenced to six years and three months in prison in April 2024.

In a remarkable turn, the Helsinki Court of Appeal released Kivimäki from custody in September 2025 while upholding the conviction. Also in September 2025, Finnish prosecutors charged a 28-year-old American living in Estonia with aiding and abetting the extortion of Vastaamo patients — a reminder that this was never a one-person operation, and that the perpetrators have international networks behind them.

The Vastaamo attack established a clear, replicable, profitable playbook for monetizing therapy data. Five years on, U.S. defenders should not pretend they have not been warned.

The 2025–2026 Mental Health Attack Roster

The Breached.company signals intelligence database has logged a steady stream of attacks against mental and behavioral health providers across 2025 and into 2026. The pattern is consistent: behavioral health is being targeted because attackers know exactly what they have when they breach one of these environments.

Aroostook Mental Health Services — Qilin, March 24, 2026

The Qilin ransomware group posted Aroostook Mental Health Services to its dark web leak site on March 24, 2026. Aroostook is a community mental-health organization serving rural patient populations in the northeastern United States. As of publication, the full scope of data accessed has not been confirmed, and Aroostook had not issued a public statement at the time the listing went live. No ransom demand or data samples have been publicly detailed in the leak-site posting.

For patients of any rural or community behavioral health provider, the Aroostook listing is a textbook reason to monitor for breach notifications. Under HIPAA breach notification rules, if protected health information was accessed, Aroostook would be required to formally notify affected patients. The gap between the dark-web leak-site listing and the HIPAA disclosure is exactly the window in which patients should be monitoring for direct extortion attempts using their own data.

North Texas Behavioral Health Authority — disclosed March 2026 / 285,000 patients

In March 2026, North Texas Behavioral Health Authority disclosed a network intrusion that had taken place in October 2025. The unauthorized access window ran from October 13 to October 15, 2025. The investigation, completed January 7, 2026, confirmed that exfiltrated files contained personal information including Social Security numbers. 285,000 individuals affected.

The five-month gap between intrusion and disclosure is itself the story. North Texas BHA’s intrusion lasted three days in October. The forensic investigation completed in early January. Public notification followed in March. That timeline gives any threat actor more than four months of operational runway between the breach and the moment any patient even has the option to start defending themselves. By the time the breach notification letters hit mailboxes, the data has been on offer in underground markets for months.

Hims & Hers — ShinyHunters via Okta, February 4–7, 2026

Telehealth platform Hims & Hers offers subscription-based mental health treatment alongside hair loss, ED, and weight-loss services — annual revenues approaching $1 billion, customer base 2.5 million subscribers. On February 5, 2026, the company detected suspicious activity on its third-party customer service platform. Investigation confirmed unauthorized access from February 4 to February 7. Public disclosure did not happen until April 2, 2026.

The threat actor was the ShinyHunters extortion gang, working through compromised Okta single sign-on credentials obtained via a months-long voice-phishing campaign targeting Okta customer help desks. Once inside the Okta SSO account, the attacker had keys to every connected SaaS service — including the Zendesk customer support platform. ShinyHunters reportedly stole millions of support tickets.

Hims & Hers maintains that core medical records and doctor communications were not compromised. The exposed data was limited to “names, contact information, and other details related to the support requests people filed.” That phrasing understates the issue: customer-service tickets in healthcare frequently include symptom descriptions, medication questions, refill requests, and other clinically relevant disclosures that didn’t get a “doctor visit” label but contain protected health information all the same. According to the company’s filing, the breach window “may have included some treatment information for certain customers who contacted the company’s customer service department through the online platform between February 2025 and February 2026” — meaning a year of accumulated support tickets.

ShinyHunters’ Okta-credential playbook has been used against hundreds of companies. Any organization running Zendesk, Salesforce, Freshdesk, or similar customer-support platforms with Okta SSO in front of them should treat the Hims & Hers breach as a personal warning.

Confidant Health — exposed September 2024 / 5.3 terabytes / no password

Confidant Health is a Texas-based AI-powered virtual care provider serving behavioral health and addiction treatment patients in Connecticut, Florida, New Hampshire, Texas, and Virginia. In September 2024, security researcher Jeremiah Fowler discovered Confidant Health’s production database sitting on the open internet without any password protection. No authentication of any kind.

Inside: 5.3 terabytes of data. 126,276 files. 1.75 million logging records. The contents:

  • Psychotherapy intake notes
  • Psychosocial assessments documenting trauma history, family conflicts, and psychiatric history
  • Audio and video recordings of therapy sessions
  • Drug test results with names, addresses, and substance findings
  • Driver’s licenses and state ID cards
  • Medicaid cards and insurance cards
  • Letters of care listing prescription medications

Confidant Health secured the database within an hour of being notified, and co-founder Jon Read told Wired that “less than 1% of files” were exposed and an external audit found “no malicious actors accessed patient records.” That’s the company’s claim. The reality is that the database had no authentication on it at all. The duration of exposure was indeterminate. Anyone who knew the file-storage paths could have downloaded the entire archive. We have no way to verify that no one did.

The Confidant Health incident is the clearest illustration in recent memory of why the typical “data breach” framing understates the risk for mental health providers. There was no breach in the traditional sense. There was no intrusion. There was a misconfigured cloud storage bucket containing video recordings of people’s most intimate clinical conversations sitting unprotected on the open internet for some unknown duration. Compared to ransomware, this is the entire problem in raw form — the data is so sensitive that the moment it stops being protected, the harm is already done.

Covenant Health — Qilin, May 18–26, 2025 / 478,188 patients

Covenant Health operates St. Joseph Hospital in Maine, St. Mary’s Health System in Maine, and St. Joseph Hospital in New Hampshire. On May 18, 2025, the Qilin ransomware group breached the organization’s IT systems and maintained access through approximately May 26. Federal law enforcement was notified at the time. The investigation completed December 10, 2025.

Wait times at St. Mary’s increased during the attack. Labs were forced to process paper orders only. St. Joseph Hospital in New Hampshire restricted lab services to the main hospital campus and required physical paper orders. Breach notification letters went out to victims on New Year’s Eve, December 31, 2025. 478,188 patients affected. Exposed data included names, dates of birth, medical record numbers, Social Security numbers, and treatment details.

This wasn’t a standalone behavioral health provider, but Covenant Health operates significant behavioral health services across its facilities, and the exposure of treatment details across nearly half a million patients is exactly the kind of catalog Qilin can monetize through individual patient extortion if it chooses to.

Cerebral — 3.2 million people exposed via tracking pixels, 2023 / settled 2024

Cerebral is the most-prosecuted mental health platform of recent years. The company self-reported a 2023 incident affecting 3.2 million people, in which sensitive data — names, medical histories, IP addresses, prescription details, and treatment plans — was shared with third parties including LinkedIn, TikTok, Meta, and Google through tracking pixels embedded on Cerebral’s website.

This wasn’t a hack. It was the architecture. Cerebral’s marketing team had instrumented its onboarding survey, intake questionnaire, and treatment pages with the same kind of conversion-tracking pixels used by every direct-to-consumer e-commerce site. Those pixels transmitted users’ clinical disclosures — symptom selections, medication histories, mental health questionnaire answers — back to social and ad platforms in real time, before users had any meaningful opportunity to consent.

The FTC and DOJ filed in April 2024, resulting in a $7 million settlement that included a “first-of-its-kind” prohibition banning Cerebral from using any health information for most advertising purposes. The settlement also addressed “sloppy security practices” — allowing former employees to access user data, and mailing promotional postcards on which patient names and diagnoses could be read through the envelope window. Cerebral entered a separate $3.65 million non-prosecution agreement with the U.S. Attorney’s Office for the Eastern District of New York and the DEA in November 2024 over its prescribing of controlled substances like Adderall.

Cerebral is the cautionary tale on the non-ransomware side of the data exposure ledger. Mental health data leaked through ad-tech tracking — without an attacker, without a breach event, without anyone getting paid in bitcoin — can be just as damaging as a Qilin double extortion.

BetterHelp — FTC settlement, 2023

Owned by Teladoc, BetterHelp paid $7.8 million to the FTC in 2023 — the agency’s first-ever settlement requiring refunds to consumers whose health information was compromised. The FTC alleged BetterHelp shared the email addresses, IP addresses, and health questionnaire information of approximately 7 million users with Facebook, Snapchat, Criteo, and Pinterest for advertising purposes, despite explicit promises that information would stay private.

Specifically — and this is the detail that should chill anyone who has ever filled out a therapy app intake form — the FTC alleged that information identifying people who had previously been in therapy was disclosed to Facebook, allowing Facebook to serve those users targeted ads for more counseling. A perfect closed-loop monetization of mental health vulnerability.

Talkspace — TikTok tracker class action, 2024

Filed by Courtney Mitchener in U.S. District Court for the Central District of California in 2024, this class action alleged Talkspace had embedded TikTok’s “fingerprinting” software on its website, which transmitted visitor data — device details, geographic location, referral information, and medical information including data about minors — to TikTok before users even cleared the cookie banner. The plaintiff voluntarily withdrew the suit in September 2025, but the underlying tracker behavior had already happened, and the class members affected had already had their data transmitted.

This sits in the same category as Cerebral’s pixel issue: not a “hack” in the traditional sense, but an architectural data leak that had the same downstream privacy effect. From the Breached.company threat-modeling perspective, the distinction matters less than the outcome — the data ended up where the user did not consent to it ending up.

And the broader behavioral health sector through 2025–2026

The Breached.company signals intelligence database has tracked these specific behavioral health and mental health-adjacent breaches as part of the broader healthcare ransomware surge:

  • Green Ridge Behavioral Health (Maryland) — 14,000+ records exposed in a 2019 ransomware attack; resulted in HHS’ second-ever ransomware HIPAA settlement in February 2024 for $40,000
  • Denton County MHMR Center (Texas) — disclosed in early 2026 that a year-old attack had exposed PHI of 108,967 patients including medical history, treatment information, insurance data, and biometric identifiers
  • Richmond Behavioral Health Authority (Virginia) — listed by Qilin among October 2025 victims
  • ManageMyHealth (New Zealand) — Kazu ransomware breached patient portal in early 2026, exposing 120,000+ records including medical histories and Medicare details; ransom demand approximately $60,000

Healthcare more broadly has seen 47 ransomware victims in a single 30-day window in early 2026, 21 active ransomware groups simultaneously targeting the sector, and 115+ terabytes of data stolen from healthcare providers in 2025 alone. The sector recorded 27 ransomware incidents in January 2026 alone — the highest of any sector.

Why Mental Health Records Command Premium Prices

The economics here are worth being explicit about because they explain why the targeting will continue.

A stolen credit card — $5 on dark web markets. Useful for one or two fraudulent transactions before the issuing bank flags activity and reissues the card. Disposable.

A Social Security number alone — about $1. Useful as one input among many; not particularly valuable in isolation.

A complete medical record — $260 to $310. Useful for medical identity theft (fraudulent prescriptions, insurance billing, even surgical procedures performed under the victim’s identity), for synthetic identity fraud (combining real medical records with fabricated PII), and for re-extortion. Cannot be canceled. A medical history is permanent. A diagnosis is permanent. An admission of substance use, an entry about an affair, a documented suicide attempt — none of those can be reissued like a credit card.

A complete mental health record — premium pricing on top of medical record value. Stolen patient records have reportedly sold for as much as $1,000 each when the contents are clinically detailed, including therapy session notes, audio recordings, or other rich behavioral content. This is the Vastaamo premium. The data isn’t just useful for medical identity fraud; it can be used to extort the patient directly.

Therapy session videos and transcripts are something else entirely. There is currently no functioning underground market price for video recordings of psychotherapy sessions because, fortunately, the Confidant Health-style exposure is rare and most threat actors haven’t yet figured out how to operationalize the format. That is going to change. The day a major behavioral health provider’s session recordings end up on a Qilin or Insomnia leak site, the underground pricing model for mental health data will reset upward.

The exfiltration economics are also worth noting. From the University of Minnesota’s analysis of healthcare ransomware patterns, attackers fall into two broad strategy categories: those aiming to steal and sell PHI, and those aiming to cause maximum operational mayhem in pursuit of a ransom payout. Mental health providers are increasingly targeted by both strategy categories simultaneously, because the operational urgency of behavioral health (you cannot easily delay a patient in crisis) translates into faster ransom decisions, while the data sensitivity of behavioral health translates into higher dark-web resale value if the company doesn’t pay.

The Threat Actor Roster Targeting Mental Health

A handful of ransomware groups are responsible for the bulk of the behavioral health targeting in 2025–2026. Knowing them by name is useful — both for monitoring leak-site listings and for understanding the playbook each is likely to run.

Qilin (also known as Agenda). Believed to be of Russian origin. Most prolific ransomware operation of 2025 with 1,022 publicly disclosed cyberattacks to its name. Originally written in Golang, now operating in Rust as well, with Linux/VMware ESXi and Windows variants. Claimed Aroostook Mental Health Services (March 2026), Covenant Health (May 2025 / 478,188 patients), Richmond Behavioral Health Authority (October 2025), and the Synnovis NHS pathology services attack in London (June 2024) that resulted in over 1,100 surgery cancellations, 170 cases of patient harm, two cases of long-term or permanent harm, and one patient death. Qilin operates a Ransomware-as-a-Service model with affiliates and offers a “Call Lawyer” feature in its negotiation interface to increase psychological pressure on victims. The group has explicitly stated it will continue targeting healthcare providers.

INC Ransomware. 19 confirmed attacks on healthcare providers, primarily targeting mid-sized regional health systems. Behavioral health providers are within their targeting range.

Insomnia. The most active ransomware group targeting U.S. healthcare in early 2026. Claimed responsibility for the Southern Illinois Dermatology breach affecting 160,000 individuals.

Medusa. 1.6+ million records breached across healthcare attacks. Ransom demands typically $1–2 million.

ShinyHunters. The threat actor behind the Hims & Hers breach. Specializes in voice-phishing of help desks to compromise Okta SSO accounts, then pivoting through to connected SaaS platforms (Zendesk, Salesforce). Has compromised hundreds of organizations through this playbook.

SAFEPAY. Identified by Health-ISAC’s 2026 Global Health Sector Threat Landscape Report as one of the most active ransomware groups targeting health entities.

Kazu. Recently breached ManageMyHealth in New Zealand and Aroostook patient data. Behavioral health within targeting scope.

The Health-ISAC 2026 Global Health Sector Threat Landscape Report tracked 455 ransomware incidents globally throughout 2025 affecting healthcare. The report explicitly warns that AI-enabled attacks will dramatically escalate the threat landscape in 2026 — automated phishing, AI-driven misconfiguration discovery, and AI-generated malware variants all reduce the cost and accelerate the speed of attack development.

What’s Different About 2026

A few specific dynamics make 2026 different from any prior year for behavioral health cybersecurity:

1. AI-amplified attack velocity. Phishing campaigns that previously took weeks to develop now ship in hours. Initial-access brokers can identify vulnerable behavioral health targets faster, and ransomware affiliates can execute end-to-end campaigns in shorter timeframes. The dwell time between initial compromise and full impact is collapsing.

2. The customer support layer is the soft underbelly. The Hims & Hers / ShinyHunters / Okta pattern is now well-established. Most healthcare organizations have hardened their EHR and core clinical systems — but the customer-facing support tools (Zendesk, Salesforce Service Cloud, Freshdesk) running on top of corporate SSO are dramatically less protected, and they hold support tickets that frequently contain PHI.

3. The data retention windows are absurd. Talkspace retains transcripts as 10-year medical records. Mental health platforms regularly hold a decade of intimate disclosures from each patient. Every additional year of retention is another year of data to be exfiltrated. If a Vastaamo-style attack hit a U.S. platform with a decade of retention, the blast radius would be staggering.

4. The AI training-data angle. A new attack vector has emerged: stealing therapy data not for extortion, but as training material. Talkspace itself is openly building an AI therapy companion called TalkAI on top of 8 billion words of patient messages. Other AI companies have shown willingness to acquire data of questionable provenance to feed model training. The incentive to steal mental health data and quietly resell it to AI vendors — rather than burn it via extortion — is now a viable monetization path that didn’t exist 18 months ago.

5. The disclosure timelines are getting longer, not shorter. North Texas Behavioral Health Authority’s October 2025 intrusion was disclosed in March 2026. Hims & Hers detected its February 2026 breach within a day but did not disclose publicly until April 2, 2026. The gap between intrusion and notification is exactly the window in which threat actors monetize the data, and it is widening.

6. Proposed HIPAA Security Rule update is still not finalized. HHS published a proposed update to the HIPAA Security Rule in January 2025 — the most significant revision since the rule’s inception, mandating MFA, encryption, network segmentation, and stronger risk analysis as actual requirements rather than “addressable” recommendations. The final rule is expected in May 2026 with a 6-month compliance window. Until that rule is final, behavioral health providers are operating under a regulatory framework that does not require basic controls like multi-factor authentication.

Practical Defensive Posture for 2026

Behavioral health and telehealth providers reading this should not be calibrating their defensive posture against the median healthcare provider. They should be calibrating against Vastaamo, Confidant Health, and Covenant Health. The threat model is direct extortion of vulnerable patients, not just operational disruption of the provider.

For behavioral health providers, hospital CISOs, and telehealth platforms:

  • Monitor ransomware leak sites as a breach-notification trigger. Aroostook Mental Health Services was on Qilin’s leak site before any HIPAA disclosure. Southern Illinois Dermatology was listed by Insomnia in February before HHS reporting. Treat a leak-site listing of your organization as a presumptive breach requiring immediate investigation.
  • Reduce dwell time aggressively. The North Texas BHA intrusion lasted three days but went undisclosed for five months. Network detection and response coverage matters more than perimeter prevention at this point.
  • Harden the customer support layer like a clinical system. Zendesk, Salesforce, Freshdesk — anywhere PHI flows through a customer-facing tool, that tool needs the same controls as the EHR. MFA, SSO hardening, behavioral analytics on help-desk staff accounts.
  • Eliminate tracking pixels from clinical workflows. The Cerebral, BetterHelp, and Talkspace exposures all stemmed from advertising and analytics pixels embedded in clinical pages. These have no place in HIPAA-regulated workflows. Period.
  • Audit data retention windows. If you don’t need ten years of transcripts, don’t keep ten years of transcripts. Every year of retention is additional liability.
  • Plan for direct-to-patient extortion. Build patient communication protocols specifically for the scenario in which a threat actor contacts your patients directly demanding ransom. Vastaamo did not have this playbook ready and patients were left to navigate the attacks alone, with fatal consequences.
  • Vet AI training and analytics partners with the same scrutiny as a clinical vendor. The TalkAI-style architecture, in which patient data feeds an AI model, expands your data-sharing surface dramatically. Business associate agreements need to explicitly address training, model deletion in the event of a breach, and provenance auditing.

For patients of mental health platforms:

  • Treat any breach notification from your provider as a serious matter. Direct extortion attempts may follow. Watch your inbox carefully for messages claiming to have your therapy records.
  • Never pay an individual extortion demand without consulting law enforcement. The Vastaamo extortion emails worked because the attackers had real, accurate clinical information. The data was real. Paying does not reliably get the data deleted; it just confirms you’ll pay again.
  • Assume any therapy app may be subject to a future breach. Make your own decisions about what level of disclosure you’re willing to commit to a permanent transcript with that risk in mind.
  • Prefer providers using video-based, non-recorded sessions for clinically sensitive conversations. A live video session that is not recorded leaves no transcript. Chat-based therapy creates a permanent searchable record.

The Direction This Is Heading

The five-year arc from Vastaamo to today describes an industry that has not yet adapted to the threat model it operates under. Mental health platforms continue to accumulate data faster than they harden their environments. Customer-support and ad-tech surfaces continue to leak data outside the HIPAA perimeter. Ransomware operators have professionalized their operations and continue to add tooling — Qilin’s “Call Lawyer” feature, Korean Leaks-style information operations, leak-site infrastructure with full RaaS affiliate panels. AI-amplified attack tooling is reducing the cost of campaigns. And the legal and regulatory framework — HIPAA, FTC enforcement, state privacy laws — is catching up at glacial speed compared to attacker velocity.

The next major incident is not a question of whether. It is a question of whether the U.S. behavioral health sector experiences its Vastaamo moment with a small provider — and the lesson is absorbed at manageable cost — or whether it happens to a major platform with millions of users and a decade of accumulated transcripts.

The Breached.company position on this is simple. Behavioral health data is the most sensitive category of personal information that exists in commerce today. It is being held by organizations that, in many cases, do not appear to understand the threat model they operate within. It is being targeted by professional ransomware operators who do understand that threat model and who have explicitly demonstrated, since 2020, that they can convert that data into per-patient extortion. The only question left is which provider runs the next test of the model.

We will be tracking it on our signals intelligence database. Subscribe for updates if you want to know who’s listed on Qilin, Insomnia, ShinyHunters, and the rest before HHS notification letters land in mailboxes.

Threat Intelligence and Incident Response Resources

For organizations that operate in behavioral health, telehealth, or any environment handling mental health data:

  • Real-time ransomware victim tracking across the major leak sites covered above: Breached.company
  • HIPAA Security Rule guidance, proposed update analysis, and BAA templates: ComplianceHub.wiki
  • Patient-facing privacy guides for users of telehealth and mental health platforms: MyPrivacy.blog
  • Phishing and impersonation defense resources specifically tailored to post-breach extortion attempts: ScamWatchHQ.com

For incident response, vCISO consulting, and tabletop exercises specifically tailored to behavioral health environments — including direct-to-patient extortion scenarios — CISO Marketplace provides offensive security assessment and IR retainer services. We have specific experience helping mental health providers build the patient-communication playbooks that Vastaamo did not have.

Sources: Wikipedia entry on the Vastaamo data breach (continuously updated); The Record from Recorded Future News reporting on Kivimäki and Covenant Health; PMC academic analysis of Vastaamo; Bitdefender and Resecurity tracking of Qilin operations; BlackFog Qilin ransomware analysis; Cohesity double-extortion technical analysis; Bitdefender Korean Leaks campaign analysis; SecurityBoulevard, Cybernews, HIPAA Journal, TechCrunch, Malwarebytes, and Cybersecurity Dive coverage of Hims & Hers; vpnMentor and Wired reporting on Confidant Health; Federal Trade Commission settlements with BetterHelp and Cerebral; Prism News, RedPacket Security, and DeXpose coverage of the Aroostook Mental Health Services Qilin listing; Health-ISAC 2026 Global Health Sector Threat Landscape Report; and University of Minnesota / JAMA Health Forum healthcare ransomware research.