Vastaamo, the psychotherapy provider at the centre of a massive data breach that affected up to 40,000 people, initially downplayed estimates of the number of patients affected by the security intrusion. The low estimate emerged in an official report that the company sent to the office of the Data Protection after the data theft occurred.
According to the filing, Ville Tapio, then-CEO of Vastaamo and two other employees received extortion emails on 28.9. While the messages began with a salutation in Finnish, the rest was in English.
"Good day. I am a hacker. I have copied Vastaamo’s patient database," it said in Finnish, before laying out its ransom demands.
Vastaamo reported the matter to the ombudsman’s office the very next day and said that it was not necessary to personally inform patients of the incident.
"It would require a disproportionate effort and the breach will be announced publicly," the company declared in the filing.
Vastaamo appeared to have erroneously estimated that the data theft only affected certain customer records between 2012 and 2014. It speculated at the time that the patient contact information stored in its database would for the most part be invalid.
The Data Protection Ombudsman’s office later ordered the firm to personally inform all customers of the breach.
The number of people affected by the data breach also turned out to be significantly more than originally believed. According to police, roughly 25,000 criminal complaints have been filed over the matter.
Unauthorised download of patient data
The filing sent to the Data Protection Ombudsman also revealed that the company had had previous problems with data security.
In April 2019, one employee who had been fired, unlawfully saved data relating to 29 patients on their own computer. Later that year in December, a customer was mistakenly sent bills for six other patients.
Breaches of confidential data must be reported to the Data Protection Ombudsman if the intrusion could jeopardise the victim’s rights and freedoms. The National Supervisory Authority for Welfare and Health (Valvira) must also be notified if the data theft poses a risk to patient safety or the security of their data.
You can listen to Yle News' All Points North podcast about the Vastaamo data breach via the embedded player here or via Yle Areena, Spotify (siirryt toiseen palveluun), Apple Podcasts (siirryt toiseen palveluun) or your usual podcast player using the RSS feed (siirryt toiseen palveluun).
Article continues after audio.
A so far unknown hacker apparently gained access to the psychotherapy centre’s patient database in 2018. The company discovered the intrusion in September this year.
Vastaamo also said that its data systems were the target of another breach in March 2019, and added that former CEO Tapio concealed information about that incident. He was later fired.
According to information obtained by Yle, Vastaamo did not inform Valvira or the ombudsman about the March 2019 incursion.
On Tuesday the firm announced that some of its board members had changed and former Esperi Care CEO Heini Pirttijärvi had been appointed board chair. She is also a former Vastaamo chief executive.