Psykoterapiakeskus Vastaamo – €608,000 Fine (Finland, 2021)

The Finnish DPA has fined Vastaamo psychotherapy center EUR 608,000. In September 2020, the psychotherapy center reported an attack on its patient database to the DPA. An unauthorized third party had gained access to Vastaamo's medical database on at least two occasions, in December 2018 and March 2019. The attacker had also siphoned off data and left a ransom note on the servers. Due to insufficient logging, neither the exact date of the breach nor the network addresses used by the attacker could be identified. The most likely cause of the medical database leak was an unprotected port on the database where the root user account of the database was not password protected. The patient database server was open to the Internet without firewall protection during the period between November 26, 2017, and March 13, 2019. For this reason, the DPA determined that the personal data were not adequately protected against unauthorized and unlawful processing or accidental loss, destruction, or damage, and that the controller had not implemented basic measures for the secure processing of personal data. As part of its investigation, the DPA also determined that the controller must have known as early as March 2019 that data in the patient information system had been lost and could have been compromised by an external attacker. Vastaamo should have immediately reported the security breach to both the DPA and its patients. However, Vastaamo was significantly late in meeting this obligation. The fine is composed proportionately of EUR 145, 600 for the breach of Art. 33 (1) GDPR, EUR 145, 600 for the breach of Art. 34 (1) GDPR and EUR 316, 800 for the breach of Art. 5 (1) f) GDPR.