NBI suspects 3 of gross negligence at data leak therapy company


News of the data breach at psychotherapy company Vastaamo first surfaced in October 2020, when the company announced that sensitive patient data had been hacked and leaked.

The preliminary investigation heard witness statements and requested statements from information security experts. Image: Silja Viitala / Yle

The National Bureau of Investigation (NBI) has completed a preliminary investigation into the suspected data protection offenses related to a massive data breach at the private psychotherapy center Vastaamo.

The NBI suspects three persons of gross negligence in the processing of personal data. The suspects were responsible for the company’s data security and protection. The case goes to the National Public Prosecutor’s Office for handling.

ALSO READ  Border guard: 20,000 Russians may arrive this weekend; opposition leaders see potential threat

News of the company’s data breach first surfaced in October 2020, when the company announced that sensitive patient data had been leaked following a hack of its database.

“The investigation focuses on the state of security and data protection of personal data and sensitive information before and after the data breach at Vastaamo. The preliminary investigation was demanding because it involved a lot of technical data collection and research”, Marko Leponenwho led the investigation on behalf of the NBI, said in a statement Monday.

ALSO READ  Reuters: Germany nationalizes gas company Uniper on Wednesday

During the preliminary investigation, statements from several witnesses were heard and data security experts were contacted for related information.

All three suspects have denied the charges, police said.

Data breach investigation conducted outside Europe

The company has said it was the target of data breaches in November 2018 and March 2019.

In October 2020, the private center disclosed that sensitive information from approximately 30,000 patients had been stolen by hackers who then attempted to extort money from the company and its customers. Information entered into their system after 2018 had not been compromised.

ALSO READ  Russians empty some Finnish ATMs with Chinese credit cards

Vastaamo filed for bankruptcy in early 2021.

Authorities have said that due to the time span between the data breach and the extortion, the perpetrators of each of these crimes may not be the same.

Research director Leponen told Yle that the investigation into the data breach is progressing. From now on, the main line of research will focus outside Europe. The perpetrator may be Finnish despite the traces that lead abroad, according to Leponen.