Short summary in English (updated March 2nd)
Please find below a short summary in English to hopefully answer to your most critical needs.
Psychotherapy Center Vastaamo has become victim of a data system break-in and extortion.
An unknown hostile party contacted Vastaamo and claimed to have gained possession of confidential information of the company's customers. The incident was immediately reported to the Finnish National Cyber Security Centre, the Finnish National Supervisory Authority for Welfare and Health (Valvira) and the Office of the Data Protection Ombudsman of Finland. Additionally, Vastaamo undertook immediate measures to investigate, resolve and rectify the matter in co-operation with independent external data protection and data security experts. For reasons attributable to the police investigation, we were not allowed to provide information about the matter earlier than when the hostile party publicized some data on October 21, 2020.
The investigation has revealed that Vastaamo became victim of a data system break-in in November 2018. Some of our customers' confidential information relating to the period prior to the end of November 2018 has been leaked as a result of the break-in. Our system has likely also been accessed between the end of November 2018 and March 2019. According to our knowledge, the database has not been stolen in connection with this but it is regardless possible that some individual pieces of data have been accessed or copied until March 2019.
Investigation by Nixu has not revealed evidence that the system would have been accessed after March 2019.
We have notified the victims of the data breach personally by email or letter. If you have received a personal notification, your data has unfortunately likely been accessed.
On October 24, 2020 the victims - customers and employees of Vastaamo alike - started to receive individual blackmail messages demanding a ransom. Based on media, the hacked database was again published in the Tor network and Internet on January 27, 2021 and thereafter. If you detect or suspect that your data is being misused or if your data is disseminated online or if you are contacted or blackmailed regarding leaked data, we encourage you to report the offence to the local police department of your residence. If need be, you can ask for guidance from the Office of the Data Protection Ombudsman.
The management of the data breach and extortion, the resulting large non-recurring expenses and the uncertainties followed by the incident have caused significant financial strains for Vastaamo, despite the fact that the daily work with customers has been stabilized. In the general meeting of Vastaamo on January 28, 2021, the owners have decided to place Vastaamo into liquidation. The general meeting appointed Lassi Nyyssönen as liquidator to manage the operations of Vastaamo during the liquidation and replace the board of directors and the managing director. If the company is unable to repay its debts as a result of the liquidation, it has to file for bankruptcy. (for more, please see the press release of January 29th at the bottom of the page).
On February 11, 2021 Vastaamo filed for bankruptcy. The District Court of Helsinki appointed attorney-at-law Nina Aganimov from DLA Piper to act as the administrator of the bankruptcy estate of Vastaamo Oy. The administrator has taken necessary actions to terminate the services and operations and manage the estate, which includes listing the assets and debts and distributing the assets of the estate to the creditors.
Due to bankruptcy, Vastaamo has ceased to operate on March 1, 2021. Vastaamo’s main concern has been to ensure the continuation of all customers’ treatment with their own therapist or psychiatrist. According to a preliminary agreement with Verve, all of Vastaamo’s professionals, staff and services have thus been transferred to Verve on March 2, 2021. Verve informs about the transaction on their web pages, e.g. https://www.verveterapia.fi/ajankohtaista/. Bookings can be made by calling 044-41 41 000, emailing to firstname.lastname@example.org, or via https://www.verveterapia.fi/ajanvaraus/.
We have encouraged all customers to discuss with their own therapist or psychiatrist how their appointments and treatment can be continued. Customer relationships will be started anew in Verve’s (or other new provider’s) customer data systems; no patient data will be transferred from Vastaamo with the transferring professionals.
Vastaamo transfers its customer and patient records to respective register holders: in case of publicly paid services to the municipalities and healthcare officials who have ordered the services to their patients, and the rest to Kela (i.e. self-paid customers or customers whose services have been funded by companies or by Kela). On patient data archives handled by Kela’s, more information at Usein kysyttyä Vastaamon tietomurrosta - kela.fi. Please contact the named parties if you have inquiries about your own patient records that have been generated by Vastaamo staff during Vastaamo’s operations.
Vastaamo continues to cooperate with authorities in all investigations regarding the data breach.
If your data has been misused, the police instruct:
- Do not call 112 as the emergency center will not be able to help with this.
- Record and preserve any emails, messages, and other evidence you receive. Record all information about the sender at the time of receiving the message in the crime report https://www.poliisi.fi/crimes/reporting_an_offence_online).
- Ransom should not be paid.
- Mails should not be distributed as they contain personal information.
Useful website where you can find information in English about Victim Support:
There are lots of links to Finnish websites incl https://tietovuotoapu.fi/fi/ (hopefully soon translated)
Potential actions for protecting against the misuse of your identity:
- Prohibition on registration
Prohibition of change of address
Prohibitions on disclosure of personal information & Prohibition of direct marketing and address assignment at
Vastaamo reimbursed Asiakastieto’s services to prevent credit misuse
To prevent credit misuse, the victims of data breach were encouraged order commercial credit watch services. Suomen Asiakastieto’s two products, “OmaLuottokielto” and "Tietovahti" for one year, were reimbursed by Vastaamo, as instructed on this site earlier. The web form was open until January 15th; approximately 4.400 people applied for reimbursements. If you have incurred other costs related to the data breach, please keep the receipts for potential future claims and trial / judicial process.
The authorities and Vastaamo are doing everything in their power to investigate and resolve the matter, to stop the hacked data from being disseminated and to ensure that the offenders are held accountable. In addition to the National Bureau of Investigation, the National Cyber Security Centre (under Traficom) and the Office of the Data Protection Ombudsman are involved in investigating the matter. We also utilise independent external data security and data protection experts.
Unfortunately the case is still open and investigation ongoing. The offender(s) have not yet been caught nor brought to justice. If you have any potential claims towards Vastaamo, please direct them to henkiloasiakkaat.vastaamo (at) fi.dlapiper.com.
Support helplines are available for the victims in Finnish and some in Swedish; unfortunately we don’t know if a person answering would be able to help also in English). Please see the section “Kriisitukea tietomurron kohteina olleille: puhelinpalveluita”
Vastaamo's customer data register contained the customer's contact information and social security number. Based on these, a customer number (customer ID) was created for each customer. The database contained mainly information manually entered by the healthcare professional. Discussions are not transcribed but session notes as demanded by law have been summarized by the healthcare professional treating you. The register also contains the dates of visits that have been completed or unrealized, as well as logs for all events when the data has been entered, modified or accessed. Customer information may also include treatment plans and targets and statements to/from authorities or the customer him/herself. As Vastaamo’s healthcare operations were terminated on March 1, 2021, also the capability to respond to data inspection requests ended and customer data is moved to public sector register holders, as described above.
We are deeply sorry for what has happened. We do everything in our power to investigate and resolve the incident and in co-operation with the authorities strive to prevent the dissemination of any confidential information.
Press release January 29, 2021: Vastaamo is placed into liquidation
In the general meeting of Psychotherapy Center Vastaamo on 28.1.2021, the owners decided to place Vastaamo into liquidation. The general meeting appointed Lassi Nyyssönen as liquidator to manage the operations of Vastaamo during the liquidation and to replace the board of directors and the mananing director in their duties.
The decision was very difficult, and the situation is extremely unfortunate for the company’s personnel and customers. Vastaamo’s board of directors, management and owners considered carefully all other alternatives, such as financing solutions, corporate reorganization and operational restructuring. So far, pursuing the alternatives has been deemed impossible. Large non-recurring expenses and uncertainties followed by the incident have caused significant financial strains for Vastaamo, despite the fact that daily work with customers has been stabilized. Unfortunately it has become obvious that the taking care of the aftermath of the data breach and extortion has jeopardized Vastaamo’s financial means to continue its operations.
In liquidation, the assets and debts of Vastaamo are ascertained, and the liquidator will consider sales of the business or its parts or its assets. If the company is unable to repay its debts, it has to file for bankruptcy.
Vastaamo’s social mission has been to improve access to psychotherapy, which is in great demand. Our primary objective is to ensure that Vastaamo’s customers can continue the treatment they need. The business operations of Vastaamo will continue during the liquidation and we encourage customers to continue their therapy.
Press release October 26, 2020: Investigation into the Vastaamo data system break-in – shortcomings in information security in the background
The Board of Directors of psychotherapy centre Vastaamo has relieved the company’s managing director of his duties.
On Wednesday 21 October 2020, psychotherapy centre Vastaamo announced that it had become a victim of a data system break-in and extortion.
Vastaamo was informed of the extortion in late September, when the extortionist approached three Vastaamo employees by way of an extortion message. The matter was immediately reported to the National Bureau of Investigation, which initiated a criminal investigation into the case. The event was also immediately reported to the National Cyber Security Centre, National Supervisory Authority for Welfare and Health Valvira and the Data Protection Ombudsman. Furthermore, measures were taken to investigate the case in cooperation with cyber security company Nixu, whose information security specialists began investigating the technical execution of the data system break-in.
The investigation by experts from the cyber security company Nixu has progressed. Nixu has provided the National Bureau of Investigation and Finnish Transport and Communications Agency Traficom with up-to-date information about the investigation. Based on the investigations, it seems probable that the data system break-in that led to the theft of the client database took place in November 2018. The protection of the customer information system of Vastaamo has had a shortcoming that the criminals exploited to access the client database of that time.
Based on current knowledge, break-ins into the system may also have been possible until mid-March 2019. We are not aware of the database being stolen after November 2018, but it is possible that individual data items have been viewed or copied.
Vastaamo’s internal investigation has also indicated that the company was affected by another data system break-in in mid-March 2019. It seems apparent that the company’s managing director at this point became aware of the data system break-in and the information security shortcomings of Vastaamo. The attack that took place in March 2019 led to Vastaamo fixing the shortcoming in its customer information system and taking other measures to protect the data systems.
The current Board of Directors and majority shareholder of the company were not informed of the data system break-in of March 2019 or of the information security shortcomings in the company’s systems.
The investigation did not make it possible to obtain complete certainty over the progress of the case. Based on it, however, it is apparent that there were shortcomings in Vastaamo’s information security, as a result of which criminals have been able to break into the database during the time prior to mid-March 2019.
We are deeply sorry for what has happened and especially on behalf of our clients who were subject to the data system break-in. We apologise for the shortcomings in information security that have caused extremely heavy consequences and human cost.
The investigation will continue – no information security shortcomings observed concerning the period after March 2019
The authorities and Vastaamo will do their utmost to investigate the case, prevent the dissemination of the data and hold those responsible to account.
An audit concerning information security was conducted on Vastaamo’s IT systems by another external service provider in April–May 2019. The audit was conducted in conjunction with a due diligence process of an acquisition transaction. The audit indicated several development priorities, but no critical shortcomings in information security. After that, the data systems of Vastaamo have been developed continuously.
Once the extortion was revealed in late September 2020, Nixu has also audited Vastaamo’s data systems and reinforced their protection. Nixu’s investigation did not find indications of data system break-ins after March 2019.
Vastaamo’s managing director has been relieved of his duties
The Board of Directors of psychotherapy centre Vastaamo has relieved managing director Ville Tapio of his duties with immediate effect.
The Board of Directors of Vastaamo is aware that on Monday 26 October 2020, the company’s majority shareholder PTK Midco Oy has taken legal actions relating to the acquisition of Vastaamo concluded in May 2019.
The Chair of the Board of Directors, Tuomas Kahri, will be responsible for managing the company’s operations in cooperation with the company’s management team until further notice.
The most important task of the company’s management is to support the clients in the exceptionally serious and burdensome situation. Vastaamo has launched several measures to support its clients. Up-to-date information about the support offered to clients can be found on the company’s website.
Media enquiries will be responded to by Tuomas Kahri, chairman of the Board of Directors of psychotherapy centre Vastaamo. Contacts email@example.com
For additional information about data protection and the processing of client data, see www.vastaamo.fi/tietosuoja
Our customer service can be contacted by telephone +358 (0)44 4141 000 or e-mail tuki (at) vastaamo.fi