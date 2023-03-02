The first criminal trial related to the data breaches of the Psychotherapy Center Vastaamo began on Thursday morning at the Helsinki District Court.

First The criminal trial related to the data breaches of the Psychotherapy Center Vastaamo began on Thursday morning in the Helsinki District Court. The prosecutor demands Vastaamo’s former CEO To Ville Tapio punishment for a data protection offence.

Ville Tapio’s defense denied the charge at the beginning of the hearing. Tapio refused media interviews before the start of the session.

The charge concerns the processing of personal data, because sensitive information of tens of thousands of customers was leaked from Vastamo to outsiders.

According to the prosecutors, among other things, Tapio failed to notify the data protection commissioner’s office of the data breach and did not sufficiently ensure that data security matters were in order. According to the prosecutors, he acted intentionally or grossly negligently.

“Information security has been at a very weak level”, the prosecutors stated in their case presentation.

According to the prosecutors, if the combination of data had been properly prevented, the damage of data breaches would have been less.

The system was originally developed by Ville Tapio himself, so he knew it well, according to the prosecutors. However, little money was spent on its development.

According to the prosecutors, Vastamo focused on growing the company, and IT matters remained on the sidelines.

“Tapio has been responsible for and managed IT operations,” the prosecutors said.

The district court has scheduled 13 sitting days for the case. The last processing date is at the end of March.

A data protection offense can be punished with fines or a maximum of one year in prison.

Prosecutors have stated that, based on the preliminary investigation, “The information security matters of the Answer Center have been in downright chaos in terms of available resources, budget, use and utilization of sufficient professional skills, training and expertise”.

In the preliminary investigation, in addition to Ville Tapio, two employees of Vastaamo’s IT department were also suspected. However, the prosecutors decided to bring charges only against Tapio.

The overworked IT department had notified the management about information security gaps and various procurement needs, but nothing happened.

Because of this, two subordinates were not charged. They were not in such a position that they would have been able to comply with the requirements of the General Data Protection Regulation regarding the practical organization of data security.

Preliminary investigation According to Vastaamo, several data breaches had occurred over the years. The CEO of the counter and the IT staff were suspected of knowing about the burglaries.

The matter only came to the attention of the authorities when Vastaamo filed a criminal complaint about extortion in the fall of 2020.

Patient data should be in a database that is closed from external connections. However, the communication port of the reception desk has been open to the internet between November 26, 2017 and March 13, 2019.

This procedure, combined with poor password practices, has meant that the likelihood of a data breach has been high.

The reception desk the preliminary investigation regarding the data breach and the extortion of its customers is still ongoing. The district court of Länsi Uusimaa imprisoned earlier on Tuesday Julius as Kivimäki known Aleksanteri Kivimäki suspected of a data breach.

Kivimäki was imprisoned for the most probable reasons, suspected of, among other things, aggravated data breach, aggravated dissemination of information infringing private life, extortion crimes.

If Kivimäki’s criminal suspicions lead to charges, they will be dealt with in a separate trial in due course.