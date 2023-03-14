According to the employees, Vastaamo CEO Ville Tapio did not want to spend money on improving the company’s information security. Accused of a data protection crime, Tapio blames the IT workers for Vastaamo’s data security problems.

Psychotherapy Center On Tuesday, two of the company’s former IT employees, whom the former CEO Ville Tapio has accused the company of information security problems.

Only one of the ex-employees was present at the Helsinki District Court. One of them had an obstacle to appear in court, so his preliminary investigation report was read in the hall.

The employee who testified in the courtroom said that the information security of Vastaamo’s patient information register was very weak and that information security and related risks were generally not talked about much.

“As I recall, the biggest risk was identified as the fact that if Therapist leaves the Front Desk and opens his own clinic, he could print out all the patient information with him. Based on this, log monitoring of the printouts was built,” the man said.

Tapio is accused of a data protection crime because, according to the prosecutor, Tapio neglected to take care of Vastaamo’s data security and gave false information to the authorities about the data breach that targeted the company in spring 2019.

Tapio completely denies the charge. According to his defense, two IT employees were responsible for Vastaamo’s data security, not Tapio himself.

The employee heard in court denied this.

“There were two of us with zero drivers and our tasks were very mixed. Mainly all working time was spent on maintenance, opening new offices and supporting growth when the number of personnel increased.”

The employee said that he presented improvements to Vastaamo’s information security, but according to him, Tapio did not want to spend money on such things.

“One thing that was discussed many times was the acquisition of F-Secure’s license. There were other projects and requests for tenders were sent for information security, but they just died. Tapio never accepted or signed [hankintoja]and no one else could do it.”

Another employee also told in the preliminary investigation that, for example, licenses for VPN services that improve the protection of network connections were not obtained because they cost money. Tapio also neglected many other things because money should have been spent on them, the man told the police.

Prosecutor according to Vastaamo, two data breaches were targeted, one in 2018 and the other in March 2019. It is suspected that in the 2018 break-in, patient information was taken, which was later used to blackmail customers. According to the prosecutor, Vastama was not aware of this break-in.

Tapio’s indictment concerns the March 2019 data breach and the period after that until October 2020. According to the prosecutor, on March 15, 2019, an outside party broke into Vastaamo’s patient database, messed up the database and left a blackmail message on the patient database server.

According to the prosecutor, the measures taken at Vastamo after the incident were insufficient and the security of the patient database was compromised until October 2020. That’s when Vastaamo said that he was the target of blackmail, and after that the investigation and police investigation into the events began.

IT employees were suspected in the preliminary investigation of a data protection crime, along with Tapio. However, the prosecutor did not press charges because, according to him, there was no probable cause to support their guilt.

Tapio denies that he knew about the March 2019 data breach at issue in the indictment at the time of the incident. According to Tapio, the IT employees gave him false information, which is why he told Valvira in his notifications that it was a maintenance outage and an error in maintenance.

The defense says that the company’s information system would have been safe if used correctly, and the employees are trying to shift responsibility for their own mistakes to Tapio.

According to the defense, the data security problems were caused by the fact that in November 2017, the employees opened the protections of Vastaamo’s information system and the database port to the Internet and left it open.

Tapio was heard in court last Friday, where he said the workers had made “incomprehensible mistakes”.

Prosecutor says that Tapio knew about the March 2019 data breach and the poor level of Vastaamo’s information security. According to the prosecutor, the motive for the cover-up was to secure a future business transaction. Private equity investor Intera Partners acquired the majority of shares in Vastamo a few months after the data breach.

The employee heard in court said that Tapio had been told in March 2019 that the database containing patient information had been lost. According to the employee, Tapio did not react to the information either, but thought it was most important to get the system back up and running as quickly as possible.

“In hindsight, I have thought that Ville must have known about the upcoming Intera deal, which we had no idea about. It would have been a bit bad, the business would have gone out of business,” the man said.

The Central Criminal Police (Krp) during the preliminary investigation, it became clear that several data breaches and other data security violations had occurred at Vastaamo. According to KRP, Vastaamo’s information security was improved somewhat over the years, but the problems did not disappear.

“The experts hired to improve information security for Vastaamo in October 2020 have described Vastaamo’s data security as particularly weak, bad and rudimentary, and Vastaamo’s way of taking care of data security in relation to the sensitivity of the information they manage as clearly deficient and very weak,” the preliminary investigation protocol said.

According to Krp, the password for the user ID of the patient database has been seven characters long and in plain language. It has not contained capital letters or special characters and had been in use since 2012.

About the data protection crime may be sentenced to fines or up to one year in prison. The prosecutor has said that he demands a suspended prison sentence for Tapio, but has not commented on its amount.

The suspected serious data breach that targeted the reception desk is still under preliminary investigation. A 25-year-old man has been arrested as a suspect.

The police reminded last week that the victims of a data breach still have the opportunity to make a statement from the person concerned in the police’s electronic transaction service. First, a criminal report must be filed. It can also be done in the online service.

The police have received about 6,500 criminal reports related to data breaches. Data breach stakeholders are primarily consulted using an electronic form. Those who gave the statement remain involved in the criminal process and get the opportunity to present their claims in the case.