Government unveils security measures in response to Vastaamo data hack

Robust electronic recognition would be required for all social and healthcare services and e-business transactions.

Minister of Local Government Sirpa Paatero (SDP) said she believes that the bill can be presented to Parliament by the beginning of next year. Image: Vesa Moilanen / Lehtikuva

The government aims to fast-track legislation making it easier to change one’s personal identity code.

On Thursday, the cabinet announced steps in response to the massive data breach at the private mental healthcare company Vastaamo, which has led to extortion attempts. Personal data on as many as 40,000 patients may have fallen into criminal hands.

Minister of Local Government Sirpa Paatero (SDP) said she believes that the bill can be presented to Parliament by the beginning of next year.

At present, individuals are only allowed to change their personal ID numbers in very rare circumstances.

Paatero, who is responsible for overseeing state electronic services, said the government will also introduce clearer regulations governing the secure handling of personal identity codes.

All private providers must join Kanta

All firms offering social and healthcare services will be required to join the national Kanta services, a database system that requires enhanced electronic recognition with banking codes for access.

All public-sector social welfare and healthcare services use the system. It operates under the Social Insurance Institution of Finland (Kela) in partnership with the Ministry of Social Affairs and Health, the National Supervisory Authority for Welfare and Health (Valvira), the Finnish Institute for Health and Welfare (THL) and the Digital and Population Data Services Agency, which was formed this year through the merger of several other agencies.

Kanta participation by private firms is voluntary, though. Vastaamo and many other firms in the sector have not so far joined the system, instead allowing patients to access to their data by simply using their social security numbers.

One-stop cancellation of all cards

The government also intends to overhaul procedures to be followed when someone becomes the victim of a data breach.

The goal is to enable people to immediately block all card services and access to databases with one click at one website, rather than having to individually file requests with multiple card-issuers and service providers – and potentially overlooking some, as is now the case.

Minister of Justice Anna-Maja Henriksson (SPP) said that the cabinet also wants to require robust electronic recognition systems to be put in place for all electronic business transactions in Finland.

This would prohibit, for instance, taking out an instant payday loan or buying a big-ticket household appliance on an instalment plan using simply an ID number, as it now possible in some cases.