“We are grateful for how various actors in society have helped the police. It is particularly great that citizens are urging all not to share this material on social media. Sharing such information fulfills the essential elements of an offence,” said Marko Leponen, a detective inspector at Finland’s National Bureau of Investigation.
The stolen information reportedly included health and personal information, psychotherapy notes, care plans, dates of visits, management goals and statements.
Upon discovery of the incident, Vastaamo conducted an internal investigation and found that their patient database had first been accessed by hackers in November 2018. The issues with their database security continued until March 2019. However, their CEO, Ville Tapio concealed the breach from their board and parent company. He has since been fired.
“This data breach is shocking in many ways. Victims now need support and help. Ministries are exploring ways to help victims. Action by municipalities and organizations are also needed,” stated Finland’s Prime Minister, Sanna Marin.
Vastaamo began notifying affected patients on October 21.