In November 2018, a data security vulnerability in the systems of Vastaamo Oy (“Vastaamo”), a major provider of psychotherapy services in Finland, led to the names, personal identity numbers, and patient records of at least 40.000 patients being stolen by an unknown hacker.
Background of Breach
While the matter is still being investigated and details of the case are not complete or entirely clear, it has been reported that at least one key person at Vastaamo became aware of this breach but did not disclose it.
The breach became public knowledge when on 21 October 2020 someone (“the hacker”) started uploading on the internet certain information the hacker had stolen including detailed minutes of patient sessions together with the names and other personal information of the patients in question in tranches of 100 patients, indicating that the hacker would continue publishing the patient records until “ransom” demands in the form of bitcoins were paid. Demand for payment was sent not only to Vastaamo but also to some of the individual patients whose information has been stolen.
To complicate matters further, Vastaamo was acquired by the capital investment firm, Intera Partners (“Intera”), before the data breach became public. Intera has indicated that it plans to sue the previous owners of Vastaamo for not disclosing the data breach during the acquisition process.
Significance of Breach
The information the hacker stole and published is the most sensitive type of information imaginable, containing detailed patient records relating to mental health or other sensitive and highly confidential matters between patients and therapists, including the treatment plans of people who are fully identifiable by, e.g., their names. From a data security and personal data point of view, the public disclosure of this kind of data is nothing short of cataclysmic. It is without a doubt the worst data breach to become public in Finland, and possibly one of the most significant data breaches on the European level. The disclosure of this data is not only devastating from a personal point of view, but also can be potentially used by other parties to engage in identify theft, for example, by applying for loans or signing contracts using the identities of the patients.
Although the investigation into the breach has only just begun, it appears even based on the small amount of information that is now available, that the level of data security and data protection at Vastaamo was insufficient for handling such critically sensitive personal data. Surely, there are lessons to be learned and presumably more than a few healthcare providers are currently auditing their databases.
This cautionary tale also tells us that while EU rules on personal data are the strictest in the world and are highly protective of the rights of data subjects, it is not enough that such rules are good only on paper – they also must be implemented, and when necessary, enforced.
Regulation of Data Breaches
The prevention and mitigation of catastrophic personal data leaks like mass data breaches is one of the core raisons d’etre of the EU General Data Protection Regulation (”GDPR”) and the EU privacy framework in general. The GDPR has a myriad of overlapping provisions intended to prevent these situations and mitigate the damage when they occur. For example:
- IT systems must be built from the ground up to ensure the protection of personal data (data protection by design and by default, Article 25)
- A level of data security appropriate for the risks involved should be implemented, including e.g. pseudonymization and encryption of data, and regular audits (Article 32)
- Data breaches must be notified without delay and at the latest within 72 hours to the data protection supervisory authority, and without delay to data subjects (Article 33-34)
- If the data in question is particularly sensitive personal data, additional technical and legal safeguards should be employed based on a risk assessment (e.g. Articles 9 and 35)
- The data controller (i.e. the party responsible for the personal data) needs to be able to actively demonstrate compliance with the GDPR (Article 24)
A common denominator of the above provisions, and the GDPR in general, is the question of risk assessment. The more sensitive the personal data, the more rigorous and forward-thinking the data controller needs to be in order to ensure the privacy and data security of the personal data in question. This includes not just building a secure system at points of entry, but also adding additional safeguards to ensure that any damage is as small as possible if a data breach does occur. Regular audits not only improve the level of data security, they also give the data controller the tools to demonstrate to data protection authorities, individual data subjects, and business partners that the company has implemented the necessary safeguards.
Lessons Learned and Conclusion
The particulars of the Vastaamo matter are still unclear, but already it appears that the systems and practices of the company were insufficient for the processing of extremely sensitive patient data. This is a moment of selfreflection, where other companies working with special categories of data, such as health, genetic, ethnic or biometric data, need to examine their processes and, if necessary, carry out audits with reputable third parties to ensure that they have appropriate levels of protection in terms of data security when considering the volume and quality of personal data that they process. When necessary they should augment their data-processing practices. Furthermore, data controllers should have a plan for (1) promptly detecting and (2) promptly responding to data breaches, so that when they occur the damage can be mitigated as far as possible.
There is also a question of authority regarding enforcement of the rules. At least in Finland, it is quite likely that the Data Protection Supervisory Authority will be proactively looking into the practices of other companies, and if necessary, exercising its powers under the GDPR to force companies to improve their processes. This means that companies dealing with sensitive data need to be able to demonstrate compliance on demand.
Finally, there is the issue associated with the Intera / Vastaamo acquisition, which took place after the data breach occurred but before the breach became public. That the data breach was not detected in the due diligence process associated with the acquisition highlights the importance of assessing personal data and data security risks of companies which manage particularly sensitive personal data.