Ex-CEO of breached pyschotherapy clinic gets prison sentence for bad data security

We’ve said this before, but we’ll repeat it again here:

Imagine that you’d spoken in what you thought was total confidence to a psychotherapist, but the contents of your sessions had been saved for posterity, along with precise personal identification details such as your unique national ID number, and perhaps including additional information such as notes about your relationship with your family…

…and then, as if that were not bad enough, imagine that the words you’d never expected to be typed in and saved at all, let alone indefinitely, had been made accessible over the internet, allegedly “protected” by little more than a default password giving anyone access to everything.

That’s what happened to tens of thousands of trusting patients of the now-bankrupt Psychotherapy Centre Vastaamo in Finland.

Crooks found the insecure data

Ultimately, at least one cybercriminal found his way into the ill-protected buckets of information.

After stealing the data, he decided to blackmail the clinic for €450,000 (then about $0.5M); when that didn’t work he stooped lower still and tried blackmailing the patients for €200 each, with a warning that the “fee” would increase to €500 after 24 hours.

Patients who didn’t pay up after a further 48 hours, the blackmailer said, would be doxxed, a jargon term meaning to have your personal data exposed publicly on purpose.

The extortionst apparently threatened not only to leak the sort of information that could cost the victims money due to identity theft, such as contact details and IDs, but also to spill those saved transcripts of their intimate conversations with therapists at the clinic.

Although a suspect in the blackmail part of this case was arrested in France in February 2022, following the issuing of an international arrest warrant, that wasn’t the only interest taken by Finnish law enforcement.

Victim as perpetrator

Even though the clinic was itself the vicitim of an odious cybercrime, the ex-CEO of the clinic, Ville Tapio, faced criminal charges, too.

As well as failing to take the sort of data security precautions that any medical patient would reasonably assume were in place, and that the law would expect…

…it seems that Tapio knew about his company’s sloppy cybersecurity for up to two years before the blackmail took place in 2020.

Worse still, he allegedly knew about the problems because the clinic suffered breaches in 2018 and 2019, and failed to report them, presumably hoping that no traceable cybercrimes would arise as a result, and thus that the company would therefore never get caught out.

But modern breach disclosure and data protection regulations, such as the GDPR in Europe, make it clear that data breaches can’t simply be “swept under the carpet” any more, and must be promptly disclosed for the greater good of all.

Well, news from Finland is that Tapio has now been convicted and given a prison sentence, reminding business leaders that merely promising to look after other people’s personal data is not enough.

Paying lip service alone to cybersecurity is insufficient, to the point that you can end up being treated as both a cybercrime victim and a perpetrator at the same time.

Have your say

Tapio received a three-month prison sentence, but the sentence was suspended, so he isn’t heading directly to jail.

Did he get off lightly, particularly considering the sensitivity of the data that his company’s patients thought they could trust him with?

Have your say in the comments below…


go top