Marko Leponen, a detective chief inspector at the National Bureau of Investigation (KRP), reacted at a news conference in Vantaa in October 2021. Leponen revealed last week that an international warrant for the arrest of a 25-year-old Finnish man has been issued in connection with the data breach at Psychotherapy Centre Vastaamo. (Jussi Nukari – Lehtikuva)


THE DISTRICT COURT of Helsinki on Friday detained a 25-year-old man in absentia on suspicion of breaking into the patient register of Psychotherapy Centre Vastaamo.

The Finnish man is suspected of aggravated computer break-in, attempted aggravated extortion and aggravated dissemination of information violating personal privacy. Investigators at the National Bureau of Investigation (KRP) are also looking into his possible ties to extorting and disseminating information on victims of the hacking.

The man is believed to be living abroad and an international warrant for his arrest has been issued, according to a press release issued by KRP on Friday.

“Our understanding is that he was living abroad when the extortion took place. But where he was when the data breach itself happened at the turn of 2018 and 2019, we don’t have a clear understanding of that,” Marko Leponen, the officer in charge of the pre-trial inquiry at KRP, told YLE on Friday.

Although the man was identified as a possible suspect relatively early in the large-scale inquiry, the investigators had to rule out a number of other names that emerged during the inquiry.

“The probable cause for which he was detained in absentia wasn’t confirmed until very recently,” revealed Leponen.

The investigators have yet to determine how much the suspect profited from the offence because not nearly all of the victims have reported the offence to police. Leponen said the number of offences reported in the case stands presently at roughly 10,000 – low compared to the 33,000 clients whose personal and patient details were reportedly obtained in the breaches.

“We don’t have a precise understanding of the victims who paid ransom to the perpetrator,” he added. “We’re talking about pretty marginal sums, though. Our findings suggest that about 20–30 people paid ransom.”

He declined to comment on whether the inquiry has uncovered other possible crimes, citing ongoing investigations by foreign authorities.

Psychotherapy Centre Vastaamo was declared bankrupt in early 2021, a couple of months after first reports of the large-scale data breach had emerged. The service provider has stated that its patient database was infiltrated first in November 2018 and then in March 2019.

Ville Tapio, a former chief executive of Vastaamo, has been charged with data protection offence over the vulnerabilities that resulted in the leak and publication of sensitive information on thousands of patients. Prosecutors have described the state of information security at the company as “chaotic”.

Helsingin Sanomat on Friday wrote that the man suspected of hacking into the patient database has an “exceptional” criminal record with offences dating back to his teens.

The District Court of Espoo in 2015 found the man guilty of 50,700 counts of aggravated computer break-in, aggravated interference with communications, aggravated fraud, aggravated message interception and computer break-in, handing him a suspended prison sentence of two years.

In 2020, he was convicted for making false police reports to send law enforcement authorities to private residences in the US and reporting an unfounded bomb threat to American Airlines. The man has appealed against the ruling.

Aleksi Teivainen – HT