Lawsuits | In the Vastaamo trial, IT employees are heard, whom the former CEO considers to be responsible for information security problems

Psychotherapy Center In the trial regarding the counter, two former IT employees of the company will be heard as witnesses on Tuesday, whom the former CEO Ville Tapio has accused the company of information security problems.

Tapio was heard in court on Friday, when he said that the employees had made “incomprehensible mistakes”.

Tapio is accused of a data protection crime because, according to the prosecutor, Tapio neglected to take care of Vastaamo’s data security and gave the authorities false information about the data breach that targeted the company. Tapio completely denies the charge.

Employees was suspected in the preliminary investigation of a data protection crime, along with Tapio. However, the prosecutor did not press charges because, according to him, there was no probable cause to support their guilt.

Only one employee will be heard on the spot at the Helsinki District Court. According to the prosecutor, one of the employees has an obstacle to appear in court, so his preliminary investigation report will be read in the courtroom.

According to the prosecutor, Vastaamo was subjected to two data breaches, one in 2018 and the other in March 2019. It is suspected that in the 2018 burglary, patient information was taken, which was later used to blackmail customers. According to the prosecutor, Vastama was not aware of this break-in.

I lose the indictment is about the March 2019 data breach and the period after that until October 2020. According to the prosecutor, on March 15, 2019, an outside party broke into Vastaamo’s patient database, messed up the database and left a blackmail message on the patient database server.

According to the prosecutor, the measures taken at Vastamo after the incident were insufficient and the security of the patient database was compromised until October 2020. That’s when Vastaamo said that he was the target of blackmail, and after that the investigation and police investigation into the events began.

Tapio says that two employees of the IT department were responsible for Vastaamo’s information security, and neither of them told him about the March 2019 data breach at the time of the incident. According to the defense, the data security problems were caused by the fact that in November 2017, the employees opened the protections of Vastaamo’s information system and the database port to the Internet and left it open.

The defense says that the company’s information system would have been safe if used correctly, and the employees are trying to shift responsibility for their own mistakes to Tapio.

The Central Criminal Police (KRP) during the preliminary investigation, it became clear that several data breaches and other data security violations had occurred at Vastaamo. According to KRP, Vastaamo’s information security was improved somewhat over the years, but the problems did not disappear.

“The experts hired to improve information security for Vastaamo in October 2020 have described Vastaamo’s data security as particularly weak, bad and rudimentary, and Vastaamo’s way of taking care of data security in relation to the sensitivity of the information they manage as clearly deficient and very weak,” the preliminary investigation protocol said.

According to KRP, the patient database username password has been seven characters long and in plain language. It has not contained capital letters or special characters and had been in use since 2012.

The suspected serious data breach that targeted the reception desk is still under preliminary investigation. A 25-year-old man has been arrested as a suspect.

Police reminded last week that the victims of a data breach still have the opportunity to make a statement of the person concerned in the police’s electronic transaction service. First, a criminal report must be filed. It can also be done in the online service.

The police have received about 6,500 criminal reports related to data breaches. Data breach stakeholders are primarily consulted using an electronic form. Those who gave the statement remain involved in the criminal process and get the opportunity to present their claims in the case.