Ville Tapio of Vastaamo was sentenced to prison – Death threats reduced the punishment

The Helsinki District Court has sentenced the former CEO of the psychotherapy center Vastaamo Ville Tapio to a three-month suspended sentence for a data protection offence.

The District Court moderated the punishment due to the wide publicity received by Vastaamo’s data breach and the death threats Tapio received.

Tapio was in charge of the company when it was hit by an exceptionally large data breach. A hacker broke into Vastaamo’s servers, stole patient data of tens of thousands of Finns and used it for extortion purposes.

The data breach itself is suspected Aleksanteri Kivimäki, formerly known by the first name Julius. He is in prison on suspicion of, among other things, aggravated data breach.

Deficiencies known

According to the indictment, the first data breach took place already in 2018, when the company did not react until 2020 after patient data was leaked to the dark Tor network.

Ville Tapio’s indictment was about the fact that he was aware of his company’s information security weaknesses and the data breach. According to the prosecutor, he did not try to fix the problems, but covered up the tracks.

The IT workers at the counter tried to suggest corrections to Tapio to improve the company’s information security.

The employees and Tapio communicated on the subject on an April night in 2019. At that time, Tapio responded to one proposal as follows:

— At this point, it would be appropriate to go in the lightest possible way, so that the visit entries and statements can be said to be encrypted.

The meeting related to the acquisition of Vastaamo was the day after the exchange of messages.

According to the district court, it appears from the messages that Tapio was aware of the articles of the General Data Protection Regulation regarding pseudonymization and encryption, their meaning, and the fact that they were not followed in Vastamo’s processing of personal data.

Pseudonymization refers to the processing of personal data in such a way that the data cannot be linked to a specific person until additional information is provided, which must be carefully kept separate from the personal data.

According to the district court, the customer’s personal information and visit notes have been stored in Vastaamo’s patient database in plain language without sufficient encryption and in such a form that they could be combined with each other.

According to the court, Tapio’s purpose was to cover up the personal data processing method used by the other side of the business meeting. He tried to get the IT employees to meet the minimum level of solutions to the known deficiencies just barely a day before the business meeting.

– Tapio has committed a data protection crime when he has not implemented the requirements of the General Data Protection Regulation regarding the pseudonymization and encryption of the personal data processed at Vastamo, the court ruled in its decision.

He denied the charge

According to the prosecutors, Tapio tried to conceal the data breach against Vastaamo that took place in March 2019 and had not informed the data protection commissioner’s office and Valvira about it. According to the prosecutors, Tapio also did not take sufficient measures to improve data security after the break-in.

According to the district court, the failure to notify has already expired. According to the court, it was also not shown that Tapio would have ordered the destruction of network traffic data related to the data security breach.

In these respects, the charge was dismissed.

Tapio denied having committed the crimes and demanded that the entire charge be dismissed.

The judgment is not binding. Mightily according to both Tapio and the prosecutors are considering filing a complaint with the Court of Appeal.

Initially, the police also suspected two employees in charge of information security at Vastaamo of a data protection crime. However, the prosecutor did not press charges.