News of the data breach at psychotherapy company Vastaamo first surfaced in October 2020, when the company announced that sensitive patient data had been hacked and leaked.
The National Bureau of Investigation (NBI) has completed a preliminary investigation into the suspected data protection offenses related to a massive data breach at the private psychotherapy center Vastaamo.
The NBI suspects three persons of gross negligence in the processing of personal data. The suspects were responsible for the company’s data security and protection. The case goes to the National Public Prosecutor’s Office for handling.
News of the company’s data breach first surfaced in October 2020, when the company announced that sensitive patient data had been leaked following a hack of its database.
“The investigation focuses on the state of security and data protection of personal data and sensitive information before and after the data breach at Vastaamo. The preliminary investigation was demanding because it involved a lot of technical data collection and research”, Marko Leponenwho led the investigation on behalf of the NBI, said in a statement Monday.
During the preliminary investigation, statements from several witnesses were heard and data security experts were contacted for related information.
All three suspects have denied the charges, police said.
Data breach investigation conducted outside Europe
The company has said it was the target of data breaches in November 2018 and March 2019.
In October 2020, the private center disclosed that sensitive information from approximately 30,000 patients had been stolen by hackers who then attempted to extort money from the company and its customers. Information entered into their system after 2018 had not been compromised.
Vastaamo filed for bankruptcy in early 2021.
Authorities have said that due to the time span between the data breach and the extortion, the perpetrators of each of these crimes may not be the same.
Research director Leponen told Yle that the investigation into the data breach is progressing. From now on, the main line of research will focus outside Europe. The perpetrator may be Finnish despite the traces that lead abroad, according to Leponen.