NPA 2022: A case study of Vastaamo, the hacked psychotherapy app





Author: Kave Noori

The 7th edition of the Nordic Privacy Arena (NPA) was held on September 26-27, 2022. The conference included 23 agenda items on data protection. This is article 3 of 3 highlighting lectures and discussions. Today we will focus on a presentation given on the Vastaamo case in Finland. This case involves an online psychotherapy app that was hacked, leading to the exposure of patient data.

Kian Rozi, board member of the Swedish Data Protection Forum, welcomes Erka Koivunen and Kim Parviainen to the stage to talk about the Vastaamo case. The first speaker Erka is an expert in security and risk assessment and has testified as an expert witness for the EU Parliament, the Finnish Parliament and the UK Parliament. He is currently Chief Security Officer at WithSecure. Erka begins to tell how the Finnish psychotherapy service provider Vastaamo was attacked, with all patient data stolen and eventually leaked to the public. 

Erka explains that an internally developed patient data system often broke down and system administrators opened remote access to the system in 2017. The reason was that the administrators were tired of being constantly woken up in the middle of the night and also being called out on weekends to fix the system. However, this allowed 7 billion people to access the system. In 2018, the system was broken into at least twice and data from therapy sessions was accessed and exposed.

Erka Koivunen believes that the data breach could have been prevented if the company had been more transparent about its previous security breaches. The company’s CEO was approached by the attacker and confronted with a ransom demand, but refused to pay. The attacker then decided to take the game to the extreme by approaching the media and threatening to release the patient data if the CEO did not pay. When this did not work, the hacker began to blackmail the patients themselves.

”It requires a certain type of a damaged person to start extorting people who have gone to psychotherapy in the worst times of their lives and threatening to expose those transcript notes in exchange for money. And yet that person did” says Erka Koivunen.

Erka argues that a competent privacy officer or security auditor would have noticed that something was wrong with the way remote management practices and systems were handled. He says that making database servers directly accessible on the Internet, which can be found through a simple search, deviates from best practices in the industry. In Finland and other Nordic countries, it is easy to find out information about people. Many authorities are happy to share information they have about a person with anyone who asks.

Erka Koivunen then turns the floor over to the second speaker, Kim Parviainen. Kim Parviainen is a Partner at Castrén & Snellman, a law firm in Finland. He has experience in a variety of legal areas, including corporate law, Intellectual Property law, and data protection law. 

Kim says that the leaked data of 33,000 people is a big human disaster. This is one of the worst civil disasters in Finland in the last decade. He goes on to say that the Finnish DPA and police are investigating the data leak and that this has changed legal practice in Finland, particularly in relation to mergers and acquisitions. Law firms are now doing more due diligence when buying and selling companies.

Kim Parviainen says that many large healthcare providers were considering buying the lost Vastaamo business but were afraid of liability and possible fines. He explains that under the GDPR, an ”undertaking” can consist of multiple legal entities that are considered a single entity. In this sense, the GDPR relies on how terms are defined in EU competition law.

Kim Parviainen says that there is now a discussion among lawyers about whether a parent company that acquires a subsidiary that receives a GDPR penalty can inherit a liability to it, just as in EU competition law. He also discusses whether a lawyer can reasonably be expected to discover this type of technical misconduct as part of a normal due diligence process. In Kim’s conclusion, the answer is no. Kim finds it difficult to imagine that a lawyer’s client normally would be willing to pay for technical due diligence as well.

Update 28 October 2022:
On October 27, the Helsinki District Court issued an order for someone to be arrested and held in jail while awaiting trial. The charges are aggravated computer break-in, attempted aggravated extortion, and aggravated dissemination of information that violates privacy. This is in connection with the criminal investigation into the hacking incident targeting the Vastaamo psychotherapy app. A European arrest warrant has been issued for the suspect. He is a Finnish citizen aged around 25 and police suspect he is currently abroad.

The police have received 22,000 reports of the crime but have only received 6,400 electronic witness statements from them. The police estimates that another 10,000 victims have not contacted the police at all. They are urging all victims to report the crime and complete the electronic statement form, in order to remain parties to the criminal procedure and be able to present their claims in the matter.

Read more in the press statement of the Finnish Police

Finnish version

Swedish version

English version