On Wednesday, the government will summon for an evening session to discuss changes in the law regarding identity theft. Here’s what we know about the events surrounding the data breach of Psychotherapy Center Vastaamo.

Illustration: Bankenverband

The recent cyberattack against Psychotherapy Center Vastaamo has led the company board to terminate the working relationship with CEO Ville Tapio, who after his resignation on Monday publicly described on Facebook that “he is deeply sorry.”

Tapio said that as the former CEO, one of his tasks was to ensure the safety of the services. “To accomplish that I had hired professionals that according to my estimation were more proficient than I. Apparently, many human errors caused a chain reaction. As a CEO I take full responsibility for what happened.”

What we know has happened so far is that a massive amount of patient records were stolen and leaked on the internet last week. Criminal investigations, according to Vastaamo, had already begun this autumn, after a perpetrator—or perpetrators—approached employees of Vastaamo with an extortion message, and the National Bureau of Investigation began criminal investigations.

People whose patient records have been stolen said that they have received emails where the sender is threatening to leak the stolen information unless the respondent pays a ransom.

Vastaamo also started cooperating with a cybersecurity company who in their preliminary assessment noted that the customer database was most likely stolen already in March 2018. The vulnerability, according to the company’s statement, was open for attacks until March 2019, and “it is possible that individual records may have been inspected or copied at a second time.”

Internal investigations, according to Vastaamo, however, revealed that another data breach indeed happened in March 2019 and at this point “it is likely that the company CEO was aware of the data breach and became aware of the flaws in the data security.” The attack caused the company to improve the protection of its digital data and to fix the vulnerability in its customer database.

According to Vastaamo, the board was neither notified of the data breach nor of the lack of security in their system. The company however added that it was not able to find certainty in how the events had folded.

PTK Midco Oy, which became the majority owner of Vastaamo in 2019, has taken legal action against Vastaamo because of the possibility that the psychotherapy center has withheld information during the business acquisition.

Many companies working with social security numbers and debt collecting have taken action to help the victims whose identities have been stolen.

Some of the ministers in the government summoned on Sunday to discuss how to provide support for the victims of the data breach.

In an interview earlier, President Sauli Niinistö called the data breach “ruthlessly cruel.” He also stressed that in the case of encountering leaked personal information one should withdraw from looking at it.

On Wednesday, the government will summon to an evening session to discuss new legislation regarding data security and identity thefts.

VASTAAMO IN BRIEF

Vastaamo is a private company offering psychotherapy services, established in 2008.

The company was founded by psychotherapist Nina Tapio and her son, software developer Ville Tapio. Currently, the company employs about 260 people and operates in 22 municipalities.

In 2019, a Finnish equity firm Intera invested in Vastaamo and became a majority owner through its holding company PTK Midco Oy.

Vastaamo’s turnover was less than half a million euros in 2012 but by 2019 the turnover had increased to €13.9 million. The same year the company made a loss of nearly €0.5 million.

Sources: Finder, Intera.