The former CEO of the privately-run psychotherapy centre Vastamo has been charged with data protection offences, the National Prosecution Authority has announced in a press statement.
The Helsinki-based company's database was breached on at least two separate occasions — in November 2018 and March 2019 — leading to extortionists demanding payment of nearly half a million euros for the data's return in October 2020.
When the company refused to pay, the sensitive patient information was leaked onto the dark web.
Vastaamo filed for bankruptcy in February 2021.
Detective Inspector Marko Leponen of the National Bureau of Investigation (NBI) said earlier this month that the suspected data protection offences were not a single act, but occurred over a longer period of time. He added that the NBI probe had looked at a period starting more than two years before the first known data breach.
Vastaamo's former CEO, Ville Tapio, declined to comment to news agency STT on Tuesday, but his legal representative Liina Kokko said that Tapio has denied the charge.
"He has not neglected any of his responsibilities, but has acted diligently as CEO of the company. He has been incorrectly accused of being the person responsible for the data breach at Vastaamo," Kokko said.
No charges against IT managers
In addition to Tapio, two other people working in the company's IT department were also suspected of data protection offences by the NBI. However, prosecutors have decided not to press charges against either individual.
The NBI investigation revealed that both the CEO and the IT managers knew about the data breach and the subsequent blackmail demands. The investigation further revealed that there had been several data breaches and other security breaches at the company over a period of several years.
However, prosecutors said, the CEO ordered that any evidence relating to the breaches and the blackmail demands be covered up.
"Tapio was aware of the information breach and the blackmail and had decided that it had not happened and that it was not necessary to bring it to the attention of the authorities," the prosecutor's statement said.
Investigation into data breach, blackmail continues
The suspected hacking of Vastaamo's database and blackmail attempts are still being investigated by police, with Yle sources saying the main line of investigation is now focused outside Europe.
Due to the period of time between the data breaches and the first blackmail demand, police believe the hacker and the blackmailer may not be the same person or group. Offices have not established which country or countries are involved, or how many suspects there are, at this stage.
Vastaamo's database contained the information of about 33,000 people, and so far 22,000 former clients of the firm have filed a request with police for investigation.