Young Finnish man detained in absentia over data breach at Vastaamo

The Vastaamo psychotherapy clinic hack and extortion attempt in Finland, first disclosed in 2020, remains one of the most sensitive and disturbing breaches DataBreaches has ever covered. Past news items about it can be found here. Now there is an update. Aleksi Teivainen of Helsinki Times reports: The District Court of Helsinki on Friday detained a 25-year-old man in absentia on suspicion of breaking into the patient register of Psychotherapy Centre Vastaamo. The Finnish man is suspected of aggravated computer break-in, attempted aggravated extortion and aggravated dissemination of information violating personal privacy. Investigators at the National Bureau of Investigation (KRP) are also looking into his possible ties to extorting and disseminating information on victims of the hacking. Read more at Helsinki Times. The English version of the police press release: One arrested in absentia in connection with Vastaamo’s data breach The Central Criminal Police has made progress in the investigation of the data breach targeting the Psychotherapy Center Vastaamo. In the preliminary investigation, a 25-year-old Finnish man has been arrested in absentia and wanted, whom the police suspect of the data breach targeting Vastaamo. A European arrest warrant has been issued for the person. Helsinki District Court is on Thursday 27 October. arrested one person in absentia with probable cause on suspicion of felony data breach, felony attempted extortion, and felony dissemination of information in violation of private life. The Central Criminal Police demanded an arrest in connection with the preliminary investigation of the data breach targeting the Psychotherapy Center Vastaamo, which the police first announced in October 2020. The police know that the suspect is currently staying abroad, which is why he was arrested in absentia. A European arrest warrant has been issued for the person, under which he can be arrested abroad. After the arrest, the police request the extradition of the suspect to Finland. An Interpol international wanted notice will also be issued for the suspect. The suspect is a 25-year-old Finnish citizen. The police have made significant progress in the investigation. This point has been reached with long-term and careful work. In the preliminary investigation, there has been close cooperation between both police departments and other authorities in Finland and internationally. It is still too early to estimate the time when the preliminary investigation can be considered for charges, says the head of the investigation, crime commissioner Marko Leponen from the Central Criminal Police. The preliminary investigation is still ongoing. The police are also investigating the connection of the person suspected of the data breach to the extortion of the victims of the data breach and the dissemination of information. Victims are reminded to report a crime and fill out an electronic statement form About 22,000 interested parties have filed a criminal complaint with the police in connection with the case. Due to the exceptionally large number of victims, the hearings of the interested parties are carried out electronically. The police has only received about 6,400 electronic statements. We urge all victims to file a criminal complaint and those who filed a criminal complaint to give an electronic statement. It’s worth filling out the statement form, because that way you stay involved in the criminal process and get the opportunity to present your claims in the case, says Leponen. According to the police’s estimate, around 10,000 victims have not filed a criminal report. The police urges you to file a criminal complaint if your personal information has been leaked online or you have received a blackmail message related to the data breach of Vastaamo Psychotherapy Centre. Interested parties who have filed a criminal report can fill out the declaration form on their own through the police’s electronic transaction platform. You can find instructions for filing a criminal report and an electronic statement on the police’s website. Police instructions for the victims of the Vastaamo data breach

Administrative fine imposed on psychotherapy centre Vastaamo for data protection violations

A hack and extortion attempt involving the psychotherapy center in Vastaamo, Finland was — and remains — one of the worst breaches ever covered on and because it involved the sensitive mental health information of tens of thousands of patients and a coverup by an executive of the clinic. Now EDPB has posted an enforcement action by Finland: Background information Date of final decision: 7 December 2021 Cross-border case or national case: National case Controller: Psychotherapy centre Vastaamo Legal Reference: Notification of a personal data breach to the supervisory authority (Art. 33(1)), Communication of a personal data breach to the data subject (Art. 34(1)), Principles of integrity and confidentiality (Art. 5(1)(f)), Data protection impact assessment (Art. 35), Responsibility of the controller (Art. 24), Data protection by design and by default (Art. 25), Security of processing (Art. 32), Accountability (Art. 5(2)) Decision: Infringement of the GDPR, administrative fine and reprimand Key words: personal data breach, patient data Summary of the Decision Origin of the case The psychotherapy centre Vastaamo notified the Data Protection Ombudsman about an attack against its patient record database in September 2020. In October 2020, the Office of the Data Protection Ombudsman started an investigation into the legality of Vastaamo’s operations. Key Findings Vastaamo neglected its duties related to the safe processing of personal data as well as reporting a personal data breach. Based on a technical investigation by the data security company Nixu in October 2020, the Deputy Data Protection Ombudsman finds that Vastaamo must have become aware that the patient data had disappeared and that it may have ended up in the possession of an external attacker already in March 2019. Vastaamo should have reported the breach both to the supervisory authority and its customers without delay. The Deputy Data Protection Ombudsman finds that the personal data had not been appropriately protected against unauthorised and illegal processing or accidental disappearance, and Vastaamo had not implemented basic measures to ensure the safe processing of personal data. Due to insufficient documentation, Vastaamo was not able to prove that it would have complied with the appropriate safety requirements, either. Decision The Deputy Data Protection Ombudsman issued Vastaamo a reprimand on violating the GDPR. The sanctions board of the Office of the Data Protection Ombudsman imposed an administrative financial sanction of EUR 608 000 on Vastaamo. The sanctions board considers the acts of negligence extremely serious and Vastaamo’s actions in neglecting the duty to notify intentional. Furthermore, the violations were long-lasting. Vastaamo was declared bankrupt in February 2021. An administrative fine is the lowest priority claim in a bankruptcy. Therefore, the financial sanction will not reduce the funds available for other claims in bankruptcy, such as potential compensation for damages. For further information: Decision of the Deputy Data Protection Ombudsman and the sanctions board in Finlex (FI) Press release: Administrative fine imposed on psychotherapy centre Vastaamo for data protection violations (EN) The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.

In wake of horrific Vastaamo breach, Finnish government tables laws to protect data from cyber criminals

Gerard O’Dwyer reports: The huge data security breach and cyber-ransom attack at Finland’s Vastaamo Psychotherapy Centre has provoked a swift response from the government, which is primed to introduce more rigid laws and measures to protect the country’s databases and sensitive information from cyber criminals. […] In a significant bolstering of Finland’s data security laws, new legislation will require all enterprises offering social and healthcare services to join Kanta’s state-run national digital services platform. Kanta operates a secure database system that requires enhanced electronic recognition, supported by banking codes, to access social welfare and healthcare sector databases. All public sector social welfare and healthcare services use the Kanta system, which is voluntary for private enterprises. Read more on

Fi: Hacked therapy centre’s ex-CEO gets 3-month suspended sentence

YLE reports: Helsinki District Court handed a three-month suspended sentence to the former CEO of a psychotherapy firm targeted in a major data breach. The court found the ex-CEO of Vastaamo, Ville Tapio, guilty of a data protection crime because he did not fulfil General Data Protection Regulation (GDPR) requirements, in terms of the pseudonymisation and encryption of patient data handled by the center. Read more at YLE. See our past coverage of the Vastaamo hack and extortion attempts on DataBreaches. Julius ‘zeekill’ Kivimäk, formerly of Lizard Squad, was arrested in France in February. The clinic itself had been fined for the breaches and declared bankruptcy. The CEO faced a number of charges including covering up breaches, but this current issue was about the failure to adequately protect the sensitive therapy data. Unlike U.S. law, prosecutors in Finland can appeal decisions. Whether they will appeal the suspended sentence remains to be seen.

Julius ‘zeekill’ Kivimäki, former Lizard Squad hacker, arrested in France

Recidivism is a thing. Alexander Martin reports: Julius Kivimäki, the Finnish member of Lizard Squad — who as a teenager in 2015 was convicted on over 50,000 counts of computer crimes — has been arrested again in France. Finnish police confirmed the arrest on Friday in a press release stating the suspect is being held by French authorities while they “immediately initiate measures to extradite the suspect to Finland.” Finland’s police service had issued a European arrest warrant for Kivimäki, who now goes by the first name Aleksanteri, on charges of computer-related crime and racketeering and extortion. Read more at The Record. For more on his 2015 arrest, see Daily Dot’s coverage at the time. Also see Brian Krebs’ reporting from November 2022 about Kivimäki’s alleged connection to the Vastaamo psychotherapy clinic extortion attempt.

Then a Hacker Began Posting Patients’ Deepest Secrets Online

William Ralston has a piece on Wired to put a human face on what happened to Finnish therapy patients of the Vastaamo clinic.  The Vastaamo hack, extortion attempt, and data dump was one of the worst breaches of 2020 and  an absolute nightmare in terms of a breach exposing personal and sensitive information. And what first appeared to be a horrifying breach became a scandalous breach when it was later learned that an earlier breach had been covered up instead of properly remediated. Today’s piece by Ralston is not his first piece on the Vastaamo incident but is well worth reading – not only to appreciate the human impact of breaches when the impact can not only be severe but long-lasting, but also because this is one of those incidents that entities should never forget and strive to prevent every day in their own facilities and organizations. Read the story on Wired.

A dying man, a therapist and the ransom raid that shook the world

William Ralston reminds us how devastating the Vastaamo breach and ransom incident has been: Jukka-Pekka Puro will never forget 2017. Facing the heartbreak of a divorce, Puro, a university lecturer in Turku, southwestern Finland, found himself tussling with depression. This spiralled into suicidal ideations when doctors told him he had aggressive kidney cancer, and no more than a few years to live. He knew he needed professional help. Puro turned to Vastaamo, a private company that runs 25 therapy centres across Finland, and sub-contracts psychotherapy services for Finland’s public health system. Through a handful of therapy sessions he divulged intimate details about his personal life and mental health issues and slowly came to accept that he was soon going to die. Read more on Wired.

Finland government to help victims of identity theft

The Finnish Government has decided on measures to help victims of identity theft and to improve personal identity protection. The Ministry of Social Affairs and Health will firstly ensure that the victims of the data breach at Psychotherapy Centre Vastaamo continue to receive the necessary psychosocial and other support. Support will continue to be provided through a number of different operators and channels for as long as is required. The Ministry will also monitor and coordinate the aftercare of the situation within the healthcare and social welfare services system. Read more on Security Document World.

Finnish therapy clinic’s CEO fired after nightmare breach

There’s a small update to the horrific breach involving Finnish psychotherapy patients seen at Vastaamo locations. Vastaamo’s CEO  Ville Tapio has been fired. Graham Cluley brings us up to date on that: An investigation has uncovered that the database of customer details and therapy session notes was first breached in November 2018, but there was another security breach in mid-March 2019 which apparently CEO Ville Tapio knew about but – for reasons best known to himself – did not inform the appropriate authorities or with other members of Vastaamo’s board. News of Vastaamo’s devastating data breach was not made public until 18 months later on October 21, 2020, and Tapio was dismissed yesterday. So there was a second breach, it seems, and it wasn’t just one bigger breach.  Okay. Another new revelation may not be related to the specific breach as much as sloppy data security and violation of GDPR. reports: The troubled psychotherapy centre Vastaamo sent at least some of its customers invoices that included their government-issued personal ID numbers in unsecured emails. The private mental health services firm has been at the centre of a hacking and blackmail scandal for the past week after it emerged that highly sensitive information on thousands of patients had been stolen from its database. Read more about that issue on