Logos of Psychotherapy Centre Vastaamo on several screens. Prosecutors in September announced the service provider’s former chief executive has been charged with data protection offence over data breaches that resulted in the leak of sensitive data on thousands of patients. (Emmi Korhonen – Lehtikuva)


VILLE TAPIO, a former chief executive of Psychotherapy Centre Vastaamo, has been charged with data protection offence over information security vulnerabilities that resulted in a leak of sensitive information on thousands of patients from the database of the now-bankrupt service provider, reports Helsingin Sanomat.

The offence carries a maximum penalty of one year in prison.

The prosecutors assigned to the case decided not to bring charges against the two other suspects, who were employed in the information technology department of Vastaamo.

The nolle prosequi indicates that the company’s ex-chief executive and two information technology specialists received a blackmail e-mail on 28 September. The sender claimed to have gained access to the entire patient register of Vastaamo, threatening to start publishing the details unless their demands were met.

The sender provided evidence of the patient data at their disposal in altogether three e-mails, revealing in the last one that they had downloaded the data a few months ago directly from the company’s database.

Vastaamo reported the extortion and data breach to the police the following day.

It also commissioned an external investigation into its cybersecurity systems. Carried out by Nixu, the investigation identified significant shortcomings in information system.

Police found during their pre-trial investigation that a third party had exploited the vulnerabilities to gain access to sensitive patient data. The prosecutors concluded based on the findings that information security matters at the company were in “absolute chaos when it comes to available resources, budget, using and utilising the necessary expertise, and training and skills”.

They indicated that their decision not to prosecute was based on the discovery that the information technology staff were overworked and had messaged the management about the data security vulnerabilities and development needs, to no avail.

The two other suspects, they explained, were not in a position to comply with provisions in the general data protection regulation on measures to guarantee information security.

The pre-trial investigation also confirmed that the data breach was not a one-off incident but that several breaches had taken place over the year.

Although Vastaamo’s Tapio and information technology division are believed to have known about the breaches, authorities were not notified of the incident until the report about the attempt to extort the company.

Aleksi Teivainen – HT