NBI suspects 3 of gross negligence in therapy company data breach | New


News of the data breach at psychotherapy company Vastaamo first emerged in October 2020, when the company announced that sensitive patient data had been hacked and leaked.

The preliminary investigation heard testimony from several witnesses and requested statements from information security experts. Image: Silja Viitala/Yle

The National Bureau of Investigation (NBI) has completed a preliminary investigation into alleged data protection breaches related to a massive data breach at the private Vastaamo Psychotherapy Centre.

The BNI suspects three people of gross negligence in the processing of personal data. The suspects were responsible for the company’s security and data protection. The case will be referred to the National Prosecuting Authority for review.

News of the company’s data breach first emerged in October 2020, when the company announced that sensitive patient data had been leaked after its database was hacked.

“The investigation focuses on the state of security and protection of personal data and sensitive information before and after the data breach at Vastaamo. The preliminary investigation was demanding as it involved numerous collections and examinations of technical data”, Marko Leponenwho conducted the investigation on behalf of the NBI, said in a statement released Monday.

The preliminary investigation heard statements from multiple witnesses and contacted data security experts for related information.

Police said all three suspects denied the allegations.

Data breach investigation outside of Europe

The company said it was the target of data breaches in November 2018 and March 2019.

In October 2020, the private center announced that the sensitive information of approximately 30,000 patients had been stolen by hackers who then attempted to extort money from the company and its customers. Information entered into their system after 2018 had not been compromised.

Vastaamo filed for bankruptcy in early 2021.

Authorities said that due to the time lag between the data breach and the extortion, the perpetrators of each of these crimes may not be the same.

Investigation Director Leponen told Yle that the data breach investigation is progressing. As of now, the main line of inquiry points outside of Europe. It is possible that the author is Finnish despite the traces leading abroad, according to Leponen.


Comments are closed.