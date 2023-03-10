On Friday, the former CEO of Vastaamo, accused of a data protection crime, will speak in the district court.

PSYCHOTHERAPY CENTER The court proceedings regarding the information security liability related to data breaches of the reception desk will continue on Friday at the Helsinki District Court.

Vastaamo’s former CEO will be heard in court Ville Tapiotafor whom the prosecutors demanded a prison sentence for a data protection crime between March 2019 and October 2020.

The criminal charge concerns the processing of customers’ personal data and data security in connection with the fact that the sensitive data of tens of thousands of Vastaamo’s customers fell into outside hands.

Tapio’s lawyer asked Tapio in court about, among other things, Tapio’s educational and professional background and his own role in the development of Vastaamo’s electronic patient system.

Tapio denied that he had coded Vastaamo’s patient information system, as has been publicly presented.

“Not true,” he answered his lawyer’s question about whether he coded the system used by Vastaamo himself.

In 2015, Vastaamo hired IT experts, with the help of which the Vastaamo’s electronic patient system was to be developed and it was to be transferred to the Kanta service, Tapio described. However, according to Tapio, it turned out that at that time there was still no THL definition of how therapy registrations had to be made in Kanta.

The counter had a so-called class B system, meaning it was not connected to the Kanta service. The systems connected directly to the Kanta service are in the so-called A class, and all others are in class B. For example, the requirements for class A systems are much more specific. Class B systems have less supervision.

According to Tapio, it was not about avoiding joining Kantaa, and according to him, the reason for not joining Kantaa would have been, on the contrary, data protection concerns.

“The records that are entered into Kanta are visible to occupational health doctors and who knows.”

“Regarding therapy registrations, it was decided to wait until the determinations (of THL) are confirmed.”

Tapio described the software developers used by Vastaamo as very qualified in terms of their training. According to him, the IT workers hired in 2015 did their work independently and self-organized and shared their responsibilities among themselves.

“They talked with me about things like how the system should look to the user.”

Development and certification of the patient information system was included in the contract for IT employees. According to Tapio, they were very tough as technology people, but according to him, they still had “side hustle projects and hobbies related to technology”, which would partly have taken attention away from handling the matters of the Counter.

According to what he said, he did not know that the employees had too much work.

“A maximum of 40 hours per week was recorded in the employment contract without special permission. At no point have I restricted (working).”

“I kept hoping they would do more. They weren’t completely involved,” Tapio said.

To the counter was affected by two data breaches, in 2018 and in March 2019. According to the prosecutors, it is suspected that in a burglary in 2018, the customer’s medical information was taken, which was later used to blackmail the customers. Vastaamo itself did not notice the data breach at that time at all.

According to the indictment, Tapio failed to notify the data protection commissioner’s office of the data breach that occurred in March 2019. According to the prosecutors, due to Tapio’s actions and negligence, Vastaamo also had insufficient information security for a long time, both at the level of its organization and practical protections.

According to the prosecutors, Tapio knew about the data breach but failed to act adequately. According to the prosecutors, he acted either intentionally or grossly negligently.

Tapio himself denies the accusation of a data protection crime. He has denied knowing about the March 2019 data breach and blackmail.

Tapio’s defense has shifted the responsibility for information security problems to the two IT employees of Vastaamo at the time. According to the defense, the system would have been safe if used correctly.

According to Tapio’s view, his job description did not include planning and maintaining the company’s information security systems, as he had hired IT employees and external experts for these tasks.

In the preliminary investigation by the police, in addition to Tapio, two employees of Vastaamo’s IT department were also suspects. Prosecutors, however, brought charges only against Tapio.

Patient information should be in a database that is closed from external connections. The communication port of the reception desk was open to the network between November 26, 2017 and March 13, 2019.

On March 15, 2019, a data breach and extortion occurred, for which the authorities were not properly notified. An outside entity had logged into the patient database without permission, destroyed it and left a blackmail message in place of the database.

The compromising of patient data only became known to the authorities on September 28, 2020, after the extortion against Vastaamo. In the same autumn, the data breach also became public.

The preliminary investigation into the data breach and extortion of customers against Vastaamo itself is ongoing with the police. The district court of Länsi Uusimaa imprisoned at the end of February Julius as Kivimäki known Alexander Suspected of Kivimäki’s data breach. He has denied that he committed the crime.