A damaging data breach affecting tens of thousands of patients at a private therapy firm has been dominating the news cycle in Finland and making headlines abroad. All Points North looks at the implications for the victims and other ordinary people, and for companies and organisations that collect and process personal data.
You can listen to the full podcast via the embedded player here or via Yle Areena, Spotify, Apple Podcasts or your usual podcast player using the RSS feed.
Article continues after audio.
Antti Virtanen, chief information security officer at tech firm Solita and member of the NGO Community Cyber Response Force, told APN that the case, in which hackers stole personal identification and address information as well as patient notes and threatened to disclose them unless a ransom was paid, is quite unusual in Finland.
"There have been data breaches in Finland earlier, there have been ransomware attacks...but never on this scale and never this kind of information which is deeply personal to a lot of people," he noted.
The psychotherapy firm at the centre of the massive data breach, Vastaamo, disclosed that it had been the target of two different attacks -- in 2018 and 2019. It is now under close scrutiny over its handling of confidential customer information otherwise.
Supervisory limitations
Deputy Data Protection Ombudsman Jari Råman told APN that firms are primarily responsible for ensuring that they adopt practices and systems to protect their customers’ sensitive data and for complying with the EU’s General Data Protection Regulation (GDPR).
"Of course, they have to supervise their own functions and personal data processing. But after that, there are also supervisory organisations including us and Valvira [Supervisory Authority for Health and Welfare], and we are also supervising personal data processing and the security of the systems from outside," Råman said.
"But naturally, as always related to supervising afterhand (sic) it can’t be so that we can supervise everything that is happening. Our resources only allow us to take those issues under supervision that have been raised," he said.
Both the cyber response NGO and the Data Protection Ombudsman’s office have provided a full check list -- in English -- for victims to go through and we’ll list them in our show notes of course.
APN also talked about efforts to ensure that sports are corona-safe given their role in maintaining wellbeing during the pandemic and revisited a years-long debate on finally calling time on the annual changing of the clocks.
Join the conversation!
This week's show was presented by Denise Wall and Zena Iovino. The producer was Mark B. Odom and the audio engineer was Panu Willman.
Sign up for the All Points North newsletter and if you have any questions or would like to share your thoughts, just contact us via WhatsApp on +358 44 421 0909, on our Facebook or Twitter accounts, or at [email protected] and [email protected].
