The Finnish Data Protection Authority has now issued its decision in the data breach case involving Vastaamo Oy and has ordered a fine of EUR 608.000, which up to now is the largest fine imposed in Finland.
In November 2018, a data security vulnerability in the systems of Vastaamo Oy, a major provider of psychotherapy services in Finland, led to the theft of the names, personal identity numbers, and patient records of at least 40.000 patients by an unknown hacker. The core reason for the breach was negligent security and data protection practices - an extremely sensitive database was maintained with root level access from the open internet, without any firewall or, amazingly, any form of password protection. For more information about the case and its background see here.
The information stolen and published by the hacker is, of course, extremely sensitive since it contains detailed patient records relating to the mental health of individual patients. The Finnish Data Protection Authority determined that Vastaamo, as data controller, breached its obligations under the GDPR as a result of the following deficiencies:
Although a data protection impact assessment (“DPIA”) had been carried out, the data protection authority deemed that the DPIA did not consider the nature, extent, context and purpose of the processing adequately, did not identify the resources used for the processing sufficiently and did not describe if and how the personal data, its storage times and the parties processing the data were recorded. The controller had also failed to assess the proportionality and necessity of the processing and related actions, and whether the data subjects’ rights had been adequately secured. Finally, the controller had failed to properly assess the risks caused by the processing.
Not surprisingly, while processing highly sensitive personal data that falls under Article 9 of the GDPR, the data controller must
Blog authors, our experts Suvi Julin and Arttu Ahava will expand on guidance provided by this decision in later articles.