Case Study on Vastaamo Data Breach
The Vastaamo data breach was Finland’s largest data breach to date (“What we should learn from Finland’s top cybersecurity breaches”, 2024). It exposed sensitive psychotherapy records of tens of thousands of patients and stands as a sobering example of the vulnerabilities and profound impacts associated with inadequate data security practices, particularly in an industry as sensitive as healthcare.
The breach was perpetrated by one Aleksanteri Kivimäki and was accompanied by a “double extortion” scheme where ransoms were demanded from both the organisation and individual compromised patients (Tuttle, 2021). The Vastaamo data breach occurred broadly due to weak cybersecurity and software infrastructure. This incident has root causes of both technical and organisational nature, alongside legislative negligence, which allowed the attackers to repeatedly access Vastaamo’s supposedly secure systems (Tietosuojavaltuutetun toimisto vs Vastaamo, 2021). This had various consequences on multiple stakeholders. However, to identify the root causes and stakeholder repercussions we need to understand that this incident was not a purely technical shortcoming, it involved organisational and legislative lapses across various levels. Ultimately, this case can be deemed prevalent when considering its relevance to Australian enterprises as companies today may face similar regulatory actions under the Australian Data Protection Laws, especially under Australia’s evolving data protection standards.
The first cause was a weak cybersecurity and software infrastructure that was further exacerbated by a lack of independent, third-party audits or penetration tests. The database used by Vastaamo was unencrypted, the data itself was not anonymised nor encrypted, and access controls were weak to non-existent. Remote access to the database was enabled from at least 26 November 2017 to 13 March 2019, meaning it was accessible via internet without the protection of a firewall (Office of the Data Protection Ombudsman, 2021). The most likely cause for the patient record database leak, according to Nixu’s technical investigation, was an unprotected MySQL port in the database. There was no password protection on the root account and user accounts did not need to have their IP addresses whitelisted to access the system (Office of the Data Protection Ombudsman, 2021). Vastaamo’s decision to go the in-house route rather than using a more established, off the rack option when it came to IT systems (Ralston, 2020) were also questionable. This bespoke software produced by Vastaamo was never audited nor penetration tested, there was also no anti-virus software installed on workstations (Tietosuojavaltuutetun toimisto vs Vastaamo, 2021). Court documents suggest the software was built on a browser-based user interface with patient records being stored on a MySQL database (Tietosuojavaltuutetun toimisto vs Vastaamo, 2021). The very database that, as discussed above, was not appropriately hardened and as a result accessed by a bad actor.
The next cause was organisational and legislative negligence overarching a general neglect of cybersecurity practices. Inadequate Cybersecurity Governance meant that Vastaamo had only two IT personnel who have themselves stated that security was not a priority and that they were more focused on pushing new features (Ruonakoski, 2023) Security was not a priority area as can be seen from the allocated resources, and the company along with its customers suffered for it. On top of this, Vastaamo failed in its data breach notification obligations by refusing to comply with the requirement to notify the victims that their data had been hacked on multiple occasions. Nixu’s technical investigations found that a blackmail message was left by an attacker as early as 15 March 2019 (Tietosuojavaltuutetun toimisto vs Vastaamo, 2021). Non-compliance of Article 34 of the General Data Protection Regulations (GDPR), which requires controllers to communicate a data breach to people impacted without undue delay, should have been a red flag to management, yet no disclosure was made (Ralston, 2020). The Data Protection Commissioner was only notified of the breach on September 29, 2020, once the threat letter had been sent, shortly before extortions began and more than a year and a half after the initial breach (Tietosuojavaltuutetun toimisto vs Vastaamo, 2021). The authorities have classified Vastaamo’s neglect of the duty to notify as intentional (Tietosuojavaltuutetun toimisto vs Vastaamo, 2021). Outside of Vastaamo, the authorities also have a role to play in ensuring data security which it missed the mark on. In 2014, the Finnish Parliament legislated that medical information systems would have to be split into classes A and B. Class A systems would connect with the national health data repository and therefore would be required to meet more stringent and stricter security and interoperability standards. Class B systems however, only had to provide a “self certification”. Vastaamo got away with registering a Class B system which allowed them to bypass fulfilling the more stringent requirements. They justified this by citing the authorities’ lack of data specification for psychotherapy clinics. However legitimate that claim is, bottom line is that even after the specifications were released, Vastaamo was able to continue operating as a Class B system and its systems were even signed off on by supervisory authorities’ multiple times (Ralston, 2021). The DPA (Data Protection Authority) of Finland, The Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) failed to ensure that Vastaamo was compliant. This is not a surprise considering 280 Class B systems were under the purview of one man, a certain Antti Härkönen who himself has been quoted as saying it was “mission impossible” for him. He also acknowledges that there should have been more “proactive inspections” (Ralston, 2021). It is obvious that resources were not sufficient for these proactive inspections to take place seeing how thin Härkönen was stretched. Therefore, Vastaamo was able to slip through the cracks. This is an institutional issue and shows that the DPA was not equipped or resourced to enforce the regulations.
The stakeholders affected were numerous and the severity of the harmed caused high. Thousands of patients suffered from emotional distress, with suicides linked to the data leaks stemming from both the breach of privacy as well as extortion attempts (Sanomat, 2024). As a company, Vastaamo suffered irreversible reputational damage, regulatory fines, and legal claims from affected patients. Moreso, financially and operationally, the breach was so detrimental it led to bankruptcy (Tietosuojavaltuutetun toimisto vs Vastaamo, 2021). The healthcare industry also experienced a spotlight on its cybersecurity practices. The loss in confidence following the breach was so severe that there were calls for stricter data protection measures, with suggestions to the extent of storing certain medical information “permanently offline” (Looi, 2024). Regulatory authorities and agencies such as the Finnish government and DPA faced criticism for enforcement gaps and had to implement measures to deal with the fallout of the leak, going so far as to pass laws to allow a change in social security number (Teivainen, 2020). The perpetrator of the hack, Aleksanteri Kivimäki, was prosecuted and sentenced to six years and three months in prison(Arntz, 2024). Regulatory actions against Vastaamo exemplified how robust data protection legislation such as the GDPR has empowered regulators to hold organisations that fail to protect sensitive information accountable. The GDPR mandates strict data security standards, rapid breach notification, privacy rights, as well as a right to erasure among other things. All this with powers to enact considerable repercussions for non-compliance. This puts significant pressure on organisations to take data privacy seriously and to secure personal data, lest they go the way of Vastaamo, whose lack of compliance led to penalties so severe that it led to bankruptcy (Tietosuojavaltuutetun toimisto vs Vastaamo, 2021).
Under current national and international data protection laws, an Australian enterprise would be subject to stringent data protection requirements which could lead to penalties, compliance requirements, and data management practices. Therefore, Australian enterprise would be subject to similar outcomes as those faced by Vastaamo. The GDPR, though primarily for the European Union (EU), does have extraterritorial reach and would apply to an Australian company that processes the personal data of EU citizens, or that offer goods or services to EU citizens (Office of The Australian Information Commissioner, 2018). Similarly, the California Consumer Privacy Act (CCPA), while based in the United States, would affect Australian enterprises with a presence in the US if handling data of California residents. (“Why Australian businesses should care about the California Consumer Privacy Act”, 2020). National legislation such as the Notifiable Data Breaches (NDB) Scheme and The privacy act 1988, not to mention state and territory laws, set a clear standard with penalties set out for non-compliance. The Information Commissioner, under the Office of the Australian Information Commissioner (“OAIC”) is the national data protection regulator responsible for Privacy Act oversight and enforcement. A hypothetical Australian healthcare enterprise operating only in Australia would be subject to national laws mentioned above as well as the Australian Privacy Principles (APPs), and specific healthcare-related guidelines from the Office of the (OAIC) as well as My Health Records Act 2012 (Australian Digital Health Agency, n.d.). They would be obligated to comply with requirements relating to Sensitive Information Handling as well as obtaining consent, ensuring data security, allowing patient access to their records, and adhering to data minimization principles (Office of the Australian Information Commissioner, 2019). This hypothetical company would also have to notify affected individuals and the OAIC if a data breach occurs. Non-compliance could lead to fines now up to AUD 50 million for offenses under the Privacy act 1988 and APPs and fines up to AUD 2.1 million under the NDB scheme.
Ultimately, the Vastaamo breach case was caused by a weak cybersecurity and software infrastructure, as well as organisational and legislative negligence. Thereby, impacting on their stakeholders severely. This case is vital to understand and underscores the need for tighter regulations and oversight, especially for the sensitive healthcare industry. Furthermore, it is still very much relevant to Australian enterprise today to use as reference for handling of sensitive information in the current climate of data privacy to ensure privacy rights of all stakeholders are upheld.
reference list
The Helsinki Times (2024), What we should learn from Finland’s top cybersecurity breaches. The Helsinki Times https://www.helsinkitimes.fi/business/25189-what-we-should-learn-from-finland-s-top-cybersecurity-breaches.html
Tuttle, H. (2021). Ransomware attackers turn to double extortion. Risk Management, 68(2), 8-9.
GDPRHub. (2022). Tietosuojavaltuutetun toimisto (Finland) - 1150/161/2021 (English Machine Translation). Retrieved from https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_1150/161/2021#Further_Resources
Ruonakoski E (2023b) Vastaamon Entinen IT-Työntekijä: “Jos Jotain Ei Tehty Kunnolla, Niin Se Oli Tietoturva” [Online]: MTV Uutiset. Available at: https://www.mtvuutiset.fi/artikkeli/vastaamon-entinen-it-tyontekija-jos-jotain-ei-tehty-kunnolla-niin-se-oli-tietoturva/8654000#gs.6umj27
Ghanbari, H., & Koskinen, K. (2024). When data breach hits a psychotherapy clinic: The Vastaamo case. Journal of Information Technology Teaching Cases, 0(0). https://doi.org/10.1177/20438869241258235
Office of the Data Protection Ombudsman (2021). Administrative fine imposed on psychotherapy centre Vastaamo for data protection violations. Retrieved 15.03.2024 from https://tietosuoja.fi/en/-/administrative-fine-imposed-on-psychotherapy-centre-vastaamo-for-data-protection-violations
Ralston, W. (2020). A dying man, a therapist and the ransom raid that shook the world. Wired. Retrieved from https://www.wired.co.uk/article/finland-mental-health-data-breach-vastaamo.
Helsingin Sanomat (2024) Vastaamo-uhrien Juristi: Ihmisiä on Päätynyt Itsemurhaan Tietomurron Ja Kiristyksen Takia [Online]. Helsinki, Finland. Available at: https://www.hs.fi/kotimaa/art-2000010265660.html
The Helsinki Times (2020). Finland to make changing social security number easier for hacking victims. The Helsinki Times https://www.helsinkitimes.fi/finland/finland-news/domestic/18312-finland-to-make-changing-social-security-number-easier-for-hacking-victims.html
Looi JC2 The Vastaamo psychotherapy data breach: what are the lessons for healthcare services?BMJ Leader 2024;8:A3.
Office of the Australian Information Commisioner. (2018). Australian entities and the European Union General Data Protection Regulation. Office of the Australian Information Commisioner https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/australian-entities-and-the-european-union-general-data-protection-regulation
Gilber Tobin Law. (2020). Why Australian businesses should care about the California Consumer Privacy Act. Gilber Tobin Law https://www.gtlaw.com.au/knowledge/why-australian-businesses-should-care-about-california-consumer-privacy-act
Australian Digital Health Agency. (n.d.) My Health Record legislation and governance. Australian Digital Health Agency https://www.digitalhealth.gov.au/about-us/policies-privacy-and-reporting/my-health-record-legislation-and-governance
Office of the Australian Information Commisioner. (2019). Guide to health privacy. Office of the Australian Information Commisioner https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/guide-to-health-privacy/introduction-and-key-concepts