Hacked therapy centre's ex-CEO gets 3-month suspended sentence | News | Yle Uutiset
Hacked therapy centre's ex-CEO gets 3-month suspended sentence
The district court characterised the defendant's actions as particularly reprehensible, due to the scale of the data breach as well as the sensitive nature of the information involved.
Former CEO of psychotherapy centre Vastaamo, Ville Tapio.
Open image viewer
Former CEO of psychotherapy centre Vastaamo, Ville Tapio. Image: Jouni immonen / Yle
YLE NEWS
18.4 13:49
•
Updated 18.4 13:55
Share
Helsinki District Court handed a three-month suspended sentence to the former CEO of a psychotherapy firm targeted in a major data breach.
The court found the ex-CEO of Vastaamo, Ville Tapio, guilty of a data protection crime because he did not fulfil General Data Protection Regulation (GDPR) requirements, in terms of the pseudonymisation and encryption of patient data handled by the center
In the autumn of 2020, Vastaamo's board sacked Tapio over the breach, shortly after it was revealed that highly sensitive information from tens of thousands of patients had been stolen from its database.
The information included patient records and notes from thearpy sessions.
Vastaamo, which had treated more than 30,000 patients, was also a subcontractor to several major public-sector hospital districts.
Some of the files – including exceptionally personal material including diaries, diagnoses and contact information – were also published on the dark web. The firm and individual patients and staff members received demands to pay ransoms to stop more information from being leaked, but refused to pay up.
On Tuesday the court said it found that the company's database stored patients' personal information and therapy session notes in plain language without adequate encryption.
That meant the individual therapists' notes and medical records and the patients' personal details could be matched.
The confidential records from therapy sessions were used in blackmail attempts.
The court characterised the defendant's actions as particularly reprehensible, due to the scale of the breach as well as the sensitive nature of the information involved.
No past criminal record
"Taking into account the long period of time, the district court finds that this act cannot be reconciled with fines, but that Tapio must receive a prison sentence for the act," the court's sentencing statement read.
The court said that the seriousness of the crime would justify an unconditional jail sentence, but that after considering the matter as a whole, ruled that it should impose a suspended sentence.
Among other things, the court justified the reasoning by noting that Tapio had no previous criminal record.
Penalties for a data protection offence can range from income-linked day fines up to a one-year unconditional jail term.
The district court's decision is not binding, as both the prosecutor and defendant can apply for leave to appeal.
Tapio has denied committing the offence, claiming that he did not know Vastaamo's IT security was poor for several years while he was CEO.
During the trial, he placed the responsibility of the breach on two of the company's former IT employees.
Prosecutors had demanded that Tapio receive a nine-month suspended sentence.
They claimed that Tapio's actions were intentionally or grossly negligent because he did not ensure that the company's data security and personal data were adequately protected.
In late February, a man authorities suspect was behind the Vastaamo breach, Aleksanteri Kivimäki, was remanded into custody.
Kivimäki is suspected of aggravated extortion, aggravated data theft and aggravated distribution of information infringing privacy, among other offences.
The district court characterised the defendant's actions as particularly reprehensible, due to the scale of the data breach as well as the sensitive nature of the information involved.
Former CEO of psychotherapy centre Vastaamo, Ville Tapio.
Open image viewer
Former CEO of psychotherapy centre Vastaamo, Ville Tapio. Image: Jouni immonen / Yle
YLE NEWS
18.4 13:49
•
Updated 18.4 13:55
Share
Helsinki District Court handed a three-month suspended sentence to the former CEO of a psychotherapy firm targeted in a major data breach.
The court found the ex-CEO of Vastaamo, Ville Tapio, guilty of a data protection crime because he did not fulfil General Data Protection Regulation (GDPR) requirements, in terms of the pseudonymisation and encryption of patient data handled by the center
In the autumn of 2020, Vastaamo's board sacked Tapio over the breach, shortly after it was revealed that highly sensitive information from tens of thousands of patients had been stolen from its database.
The information included patient records and notes from thearpy sessions.
Vastaamo, which had treated more than 30,000 patients, was also a subcontractor to several major public-sector hospital districts.
Some of the files – including exceptionally personal material including diaries, diagnoses and contact information – were also published on the dark web. The firm and individual patients and staff members received demands to pay ransoms to stop more information from being leaked, but refused to pay up.
On Tuesday the court said it found that the company's database stored patients' personal information and therapy session notes in plain language without adequate encryption.
That meant the individual therapists' notes and medical records and the patients' personal details could be matched.
The confidential records from therapy sessions were used in blackmail attempts.
The court characterised the defendant's actions as particularly reprehensible, due to the scale of the breach as well as the sensitive nature of the information involved.
No past criminal record
"Taking into account the long period of time, the district court finds that this act cannot be reconciled with fines, but that Tapio must receive a prison sentence for the act," the court's sentencing statement read.
The court said that the seriousness of the crime would justify an unconditional jail sentence, but that after considering the matter as a whole, ruled that it should impose a suspended sentence.
Among other things, the court justified the reasoning by noting that Tapio had no previous criminal record.
Penalties for a data protection offence can range from income-linked day fines up to a one-year unconditional jail term.
The district court's decision is not binding, as both the prosecutor and defendant can apply for leave to appeal.
Tapio has denied committing the offence, claiming that he did not know Vastaamo's IT security was poor for several years while he was CEO.
During the trial, he placed the responsibility of the breach on two of the company's former IT employees.
Prosecutors had demanded that Tapio receive a nine-month suspended sentence.
They claimed that Tapio's actions were intentionally or grossly negligent because he did not ensure that the company's data security and personal data were adequately protected.
In late February, a man authorities suspect was behind the Vastaamo breach, Aleksanteri Kivimäki, was remanded into custody.
Kivimäki is suspected of aggravated extortion, aggravated data theft and aggravated distribution of information infringing privacy, among other offences.
