Skip to content
The article is more than 3 years old

Vastaamo board fires CEO, says he kept data breach secret for year and a half

The CEO was apparently aware of a second data breach and shortcomings in the psychotherapy provider’s data security.

Ville Tapio
Ville Tapio Image: Jari Kovalainen / Yle
Yle News

The board of private mental health services firm Vastaamo on Monday dismissed CEO Ville Tapio with immediate effect following a disastrous data breach.

Board chair Tuomas Kahri will take charge of the company’s operations along with the management team.

The firm has been in the eye of a storm since last week, when it was revealed that highly sensitive information on thousands of patients had been stolen from its database. Vastaamo, which has treated some 40,000 patients, is a subcontractor to several major public-sector hospital districts.

Some of the files – including exceedingly personal material such as diaries, diagnoses and contact information – have been published on the dark web. The firm and individual patients and staff members have received demands to pay bitcoin ransoms to stop more information from being leaked.

2nd breach in March 2019, shortly before firm was sold

Initially the company said that the breach only affected data from before November 2018.

On Monday the board said that an internal probe had determined that a second breach had occurred in March 2019. It appears that at that point Tapio was aware of the breaches and of shortcomings in the psychotherapy provider’s data security systems.

Following the 2019 cyberattack, Vastaamo’s data security was beefed up. However, its current board and principal owner were not informed of the March 2019 data breach or the data security weaknesses.

Also on Monday, Vastaamo’s main owner, PTK Midco, began legal proceedings related to its purchase of Vastaamo in May 2019. PTK Midco is owned by the Helsinki-based private equity firm Intera Partners.

No "critical data security shortfalls" found in spring of 2019

In April and May of that year, an outside firm carried out an inspection of Vastaamo’s IT systems in connection with the acquisition. That probe found several areas for improvement but no critical data security shortfalls. Vastaamo says it has been continually upgrading its data systems ever since.

When the firm’s management first learned of the extortion effort in late September, cyber security firm Nixu was hired to inspect and upgrade Vastaamo’s data security systems. It did not find any evidence of any breaches after March 2019.

Vastaamo says that Nixu has made progress in its probe and shared information with the National Bureau of Investigation (NBI) and the Finnish Transport and Communications Agency (Traficom).

Vastaamo says it has launched a number of processes to support its customers, which are listed on its website.

Yle has not been able to reach Tapio for comment.

The tabloid paper Ilta-Sanomat was first to report his dismissal.

Victim Support Finland, backed by the Ministry of Justice, provides guidance in English for those who suspect that their data may have been comprised in the Vastaamo breaches. More information at this link.

Latest: paketissa on 10 artikkelia