The Finnish Data Protection Authority has now issued its decision in the data breach case involving Vastaamo Oy and has ordered a fine of EUR 608.000, which up to now is the largest fine imposed in Finland.
In November 2018, a data security vulnerability in the systems of Vastaamo Oy, a major provider of psychotherapy services in Finland, led to the theft of the names, personal identity numbers, and patient records of at least 40.000 patients by an unknown hacker. The core reason for the breach was negligent security and data protection practices - an extremely sensitive database was maintained with root level access from the open internet, without any firewall or, amazingly, any form of password protection. For more information about the case and its background see here.
Why is the decision important?
The information stolen and published by the hacker is, of course, extremely sensitive since it contains detailed patient records relating to the mental health of individual patients. The Finnish Data Protection Authority determined that Vastaamo, as data controller, breached its obligations under the GDPR as a result of the following deficiencies:
- not implementing adequate and reasonable technical and organizational measures to protect highly sensitive personal data and thus not implementing secure processing of personal data
- intentionally failing to inform the data protection authority and the data subjects of the personal data breach without undue delay by the time Vastaamo became aware of the data breach
- not documenting the data breach sufficiently
- not fulfilling the requirements for a data protection impact assessment on a sufficient level
Although a data protection impact assessment (“DPIA”) had been carried out, the data protection authority deemed that the DPIA did not consider the nature, extent, context and purpose of the processing adequately, did not identify the resources used for the processing sufficiently and did not describe if and how the personal data, its storage times and the parties processing the data were recorded. The controller had also failed to assess the proportionality and necessity of the processing and related actions, and whether the data subjects’ rights had been adequately secured. Finally, the controller had failed to properly assess the risks caused by the processing.
What are the lessons learned from this?
Not surprisingly, while processing highly sensitive personal data that falls under Article 9 of the GDPR, the data controller must
- pay careful attention to the principles for processing sensitive categories of data under the GDPR
- ensure that state-of-the-art technical and organizational measures to protect such personal data are implemented and maintained from the beginning
- be prepared to document and report potential personal data breaches and
- execute and maintain detailed data protection impact assessment(s)
The author, Arttu Ahava, is a European trade mark and design attorney and lawyer working with Berggren Oy, Finland’s leading IPR service provider. The author has been involved in the preparation of the revised Trademarks Act and assisted clients in connection with a similar revision process carried out with regards to EU trademarks.