Short summary in English
Updated reimbursement instructions Nov 2, 2020
Vastaamo’s Board of Directors has been changed on Nov 9, 2020, see names of new members in Finnish PR.
Please find below a short summary in English to hopefully answer to your most critical needs. Unfortunately we lack resources to provide proper translations as the information in Finnish is continuously updated on the go.
Psychotherapy Center Vastaamo has become victim of a data system break-in and extortion.
An unknown hostile party has contacted Vastaamo and claimed to have gained possession of confidential information of the company's customers. The incident was immediately reported to the Finnish National Cyber Security Centre, the Finnish National Supervisory Authority for Welfare and Health (Valvira) and the Office of the Data Protection Ombudsman of Finland. Additionally, Vastaamo undertook immediate measures to investigate, resolve and rectify the matter in co-operation with independent external data protection and data security experts. For reasons attributable to the police investigation, we were not allowed to provide information about the matter earlier than when the hostile party publicized some data on October 21.
The investigation has revealed that Vastaamo became victim of a data system break-in in November 2018. Some of our customers' confidential information relating to the period prior to the end of November 2018 has been leaked as a result of the break-in. Our system has likely also been accessed between the end of November 2018 and March 2019. According to our knowledge, the database has not been stolen in connection with this but it is regardless possible that some individual pieces of data have been accessed or copied until March 2019.
Investigation by Nixu has not revealed evidence that the system would have been accessed after March 2019.
We have notified the victims of the data breach personally by email or letter. If you have received or will receive a personal notification, your data has unfortunately likely been accessed.
On October 24, the victims - customers and employees of Vastaamo alike - started to receive individual blackmail messages demanding a ransom. If you detect or suspect that your data is being misused or if your data is disseminated online or if you are contacted or blackmailed regarding leaked data, we encourage you to report the offence to the local police department of your residence. If need be, you can ask for guidance from the Office of the Data Protection Ombudsman.
The police instruct:
- Do not call 112 as the emergency center will not be able to help with this.
- Record and preserve any emails, messages, and other evidence you receive. Record all information about the sender at the time of receiving the message in the crime report https://www.poliisi.fi/crimes/reporting_an_offence_online).
- Ransom should not be paid.
- Mails should not be distributed as they contain personal information.
Useful website where you can find information in English about Victim Support:
There are lots of links to Finnish websites incl https://tietovuotoapu.fi/fi/ (hopefully soon translated)
Potential actions for protecting against the misuse of your identity:
- Prohibition on registration
Prohibition of change of address
Prohibitions on disclosure of personal information & Prohibition of direct marketing and address assignment at
Vastaamo reimburses Asiakastieto’s services to prevent credit misuse
To prevent credit misuse, the victims of data breach can order commercial credit watch services. Asiakastieto’s two products “OmaLuottokielto” and "Tietovahti" for one year will be reimbursed by Vastaamo when purchased by the break-in victims. The available products should be directly chosen and purchased from Asiakastieto site www.asiakastieto.fi/omatieto/fi/tuotteet/turva2020.
- Tietovahti – a watch that notifies of requests made to check your credit worthiness (14,90€ / year)
- OmaLuottokielto – denial of giving credit to your person (9,90€ / year)
After you have purchased the desired product(s), please fill in the web form to give your consent to reimbursement. Vastaamo will validate and give the information you submit on the form to Asiakastieto. Asiakastieto will then directly execute the reimbursement of your purchase to you. Information given on the consent for will be destroyed as soon as no longer needed.
The fields in the form are, in this order
- Three purchase-related check marks: “I have received a confidential and official notification from Vastaamo of being a victim of the named data breach, and have thus have purchased [check lines with the names of purchased products]”, or the 3rd check if you made related purchases at Asiakastieto already earlier.
- Firstname, Lastname, Date of birth (DDMMVV), Email used when purchased the Asiakastieto products, Receipt number of Asiakastieto purchase.
- Last check mark: Your consent to process and submit this form information to Asiakastieto for Asiakastieto to execute the reimbursement.
The authorities and Vastaamo are doing everything in their power to investigate and resolve the matter, to stop the hacked data from being disseminated and to ensure that the offenders are held accountable. In addition to the National Bureau of Investigation, the National Cyber Security Centre (under Traficom) and the Office of the Data Protection Ombudsman are involved in investigating the matter. We also utilise independent external data security and data protection experts.
Support helplines are available for the victims in Finnish and some in Swedish; unfortunately we don’t know if a person answering would be able to help also in English). Please see the section “Kriisitukea tietomurron kohteina olleille: puhelinpalveluita”
Vastaamo's customer data register contains the customer's contact information and social security number. Based on these, a customer number (customer ID) is created for each customer. The database contains mainly information manually entered by the healthcare professional. Discussions are not transcribed but session notes as demanded by law have been summarized by the healthcare professional treating you. Our register also contains the dates of visits that have been completed or unrealized, as well as logs for all events when the data has been entered, modified or accessed. Customer information may also include treatment plans and targets and statements to/from authorities or the customer him/herself.
You have the legal right to inspect your personal data. This information is checked and provided by a healthcare professional who makes an entry in the patient data register, thus recording the use of your right of inspection. You are entitled to receive your personal data within a month; this official timeline may be extended by extra two months if request is broad or complex.
We recommend that you use the form Vastaamo's "Data Inspect request" on the web page www.vastaamo.fi/tietosuoja (form to be translated) so that we can verify the identity of the person requesting the data and collect all the information necessary to process the request in one go. You can also make a data inspect request without the form, but please make sure that it contains sufficient information to detail your request and to verify your identity.
Please also ensure secure delivery of the form, as it includes your personal data, by sending the request form either on paper by post to Mannerheimintie 12 B, 00100 Helsinki, or by encrypted/secure e-mail to tietosuojavastaava (at) vastaamo.fi. You will be notified after we have received your request. Due to the high amount of requests, our response may be delayed. We ask for your patience. We strive to expedite processing as much as we can and are building an e-form by which we could receive the requests.
Vastaamo's data systems have been examined, they are strongly secured and their use is subject to enhanced monitoring by data security professionals. We carry on with the measures and will provide further information. We do everything in our power to investigate and resolve the incident and in co-operation with the authorities strive to prevent the dissemination of any confidential information.
We are deeply sorry for what has happened.
Earlier press releases
Press release October 26, 2020: Investigation into the Vastaamo data system break-in – shortcomings in information security in the background
The Board of Directors of psychotherapy centre Vastaamo has relieved the company’s managing director of his duties.
On Wednesday 21 October 2020, psychotherapy centre Vastaamo announced that it had become a victim of a data system break-in and extortion.
Vastaamo was informed of the extortion in late September, when the extortionist approached three Vastaamo employees by way of an extortion message. The matter was immediately reported to the National Bureau of Investigation, which initiated a criminal investigation into the case. The event was also immediately reported to the National Cyber Security Centre, National Supervisory Authority for Welfare and Health Valvira and the Data Protection Ombudsman. Furthermore, measures were taken to investigate the case in cooperation with cyber security company Nixu, whose information security specialists began investigating the technical execution of the data system break-in.
The investigation by experts from the cyber security company Nixu has progressed. Nixu has provided the National Bureau of Investigation and Finnish Transport and Communications Agency Traficom with up-to-date information about the investigation. Based on the investigations, it seems probable that the data system break-in that led to the theft of the client database took place in November 2018. The protection of the customer information system of Vastaamo has had a shortcoming that the criminals exploited to access the client database of that time.
Based on current knowledge, break-ins into the system may also have been possible until mid-March 2019. We are not aware of the database being stolen after November 2018, but it is possible that individual data items have been viewed or copied.
Vastaamo’s internal investigation has also indicated that the company was affected by another data system break-in in mid-March 2019. It seems apparent that the company’s managing director at this point became aware of the data system break-in and the information security shortcomings of Vastaamo. The attack that took place in March 2019 led to Vastaamo fixing the shortcoming in its customer information system and taking other measures to protect the data systems.
The current Board of Directors and majority shareholder of the company were not informed of the data system break-in of March 2019 or of the information security shortcomings in the company’s systems.
The investigation did not make it possible to obtain complete certainty over the progress of the case. Based on it, however, it is apparent that there were shortcomings in Vastaamo’s information security, as a result of which criminals have been able to break into the database during the time prior to mid-March 2019.
We are deeply sorry for what has happened and especially on behalf of our clients who were subject to the data system break-in. We apologise for the shortcomings in information security that have caused extremely heavy consequences and human cost.
The investigation will continue – no information security shortcomings observed concerning the period after March 2019
The authorities and Vastaamo will do their utmost to investigate the case, prevent the dissemination of the data and hold those responsible to account.
An audit concerning information security was conducted on Vastaamo’s IT systems by another external service provider in April–May 2019. The audit was conducted in conjunction with a due diligence process of an acquisition transaction. The audit indicated several development priorities, but no critical shortcomings in information security. After that, the data systems of Vastaamo have been developed continuously.
Once the extortion was revealed in late September 2020, Nixu has also audited Vastaamo’s data systems and reinforced their protection. Nixu’s investigation did not find indications of data system break-ins after March 2019.
Vastaamo’s managing director has been relieved of his duties
The Board of Directors of psychotherapy centre Vastaamo has relieved managing director Ville Tapio of his duties with immediate effect.
The Board of Directors of Vastaamo is aware that on Monday 26 October 2020, the company’s majority shareholder PTK Midco Oy has taken legal actions relating to the acquisition of Vastaamo concluded in May 2019.
The Chair of the Board of Directors, Tuomas Kahri, will be responsible for managing the company’s operations in cooperation with the company’s management team until further notice.
The most important task of the company’s management is to support the clients in the exceptionally serious and burdensome situation. Vastaamo has launched several measures to support its clients. Up-to-date information about the support offered to clients can be found on the company’s website.
Media enquiries will be responded to by Tuomas Kahri, chairman of the Board of Directors of psychotherapy centre Vastaamo. Contacts firstname.lastname@example.org
For additional information about data protection and the processing of client data, see www.vastaamo.fi/tietosuoja
Our customer service can be contacted by telephone +358 (0)44 4141 000 or e-mail tuki (at) vastaamo.fi