Administrative fine imposed on psychotherapy centre Vastaamo for data protection violations
The Office of the Data Protection Ombudsman has imposed an administrative financial sanction on the psychotherapy centre Vastaamo due to a violation of the provision of the GDPR. Vastaamo neglected its duties related to the safe processing of personal data as well as reporting a personal data breach. Deficiencies were also found in drawing up the documentation related to accountability.
The psychotherapy centre Vastaamo notified the Data Protection Ombudsman about an attack against its patient record database in September 2020. In October 2020, the Deputy Data Protection Ombudsman ordered Vastaamo to notify personally the customers who had become victims of the personal data breach. In addition, the Office of the Data Protection Ombudsman started an investigation into the legality of Vastaamo’s operations.
Vastaamo was declared bankrupt by the decision of the Helsinki District Court in February 2021. Vastaamo is no longer carrying out business activities, but it continues to process personal data. As a controller, Vastaamo is responsible for processing patient data in accordance with law and complying with storage periods.
The personal data breach should have been reported when it was discovered
Based on the technological investigation by the data security company Nixu in October 2020, an external party succeeded in logging into the Vastaamo patient record database without authorisation at least twice, in December 2018 and March 2019. It was not possible to determine the exact time of the database leak with certainty during the investigation, however, because sufficient log data had not been kept on the period when the personal data breaches occurred. Due to the insufficient documentation, it was not possible to identify the network addresses or methods used by the attacker, either.
It is likely that the patient record database was destroyed and restored during one day in March 2019. The technical investigation showed that an extortion message claiming that the attacker had downloaded the database had been left on the patient information system server. It is extremely likely that a user ID belonging to Vastaamo was used to handle the extortion message on the day in question.
Based on the information discovered during the investigation, the Deputy Data Protection Ombudsman finds that Vastaamo must have become aware that the data in the patient information system had disappeared and that it may have ended up in the possession of an external attacker already in March 2019. Vastaamo should have reported the personal data breach both to the Data Protection Ombudsman and its customers without delay, because the violations resulted in a high risk to the data subjects.
With regard to the duty to notify, the position of the people who knew about the personal data breach is not significant. The controller is responsible for ensuring that operating methods concerning the duty to notify exist and that they are followed.
The time when the unauthorised login in December 2018 occurred, the probable risk it posed to the data subjects and the existence of the duty to notify remained unclear according to the investigation.
Negligence related to the basic measures to ensure the safe processing of patient data
According to Nixu’s technical investigation, the best practices of safe service maintenance and protection methods were not followed in the maintenance of the Vastaamo patient information system server, which exposed the server to cyber attacks.
The most likely cause for the patient record database leak was an unprotected MySQL port in the database, in which the root user account of the database had not been password protected. The user account had also been granted the right to log into the database from any IP address. The patient record database server was open to the internet without the protection of a firewall at least from 26 November 2017 to 13 March 2019.
The Deputy Data Protection Ombudsman finds that the personal data had not been appropriately protected against unauthorised and illegal processing or accidental disappearance, destruction or damage, and Vastaamo had not implemented basic measures to ensure the safe processing of personal data. Due to insufficient documentation, Vastaamo was not able to prove that it would have complied with the appropriate safety requirements, either.
Reprimand and financial sanction for data protection violations
The Deputy Data Protection Ombudsman issued Vastaamo a reprimand on violating the GDPR. In addition, the sanctions board of the Office of the Data Protection Ombudsman imposed an administrative financial sanction of EUR 608 000 on Vastaamo.
The sanctions board considers the acts of negligence extremely serious and Vastaamo’s actions in neglecting the duty to notify intentional. The board states that ensuring appropriate safety would not have required unreasonable measures from Vastaamo, taking account of the nature and scope of data processing and the risks to the customers. The board finds that the negligence in protecting the data can be considered aggravated. Furthermore, the violations were long-lasting.
Among other things, Vastaamo’s actions to reduce the damage to the data subjects were taken into account as extenuating factors with regard to the sanction. As aggravating factors, the sanctions board took account of the sensitivity of the data processed as well as the deficiencies in the documentation on the personal data breach in December 2018, for instance.
An administrative fine is the lowest priority claim in a bankruptcy. Therefore, the financial sanction will not reduce the funds available for other claims in bankruptcy, such as potential compensation for damages.
The decisions are not yet final.
Deputy Data Protection Ombudsman Jari Råman, jari.raman(at)om.fi, tel. +358 (0)29 566 6757
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.