The board of the private mental health service company Vastamo dismissed the CEO on Monday Ville Tapio take effect immediately after the destructive data breach.
Chairman of the Board Tuomas Kahri is responsible for the company’s operations with the management team.
The company has been in the eye of the storm since last week when it was revealed that highly sensitive information about thousands of patients had been stolen from its database. Vastamo, which has treated approximately 40,000 patients, is a subcontractor to several large public sector hospital districts.
Some of the files – including highly personal material such as diaries, diagnoses and contact information – have been published online in the dark. Fixed and individual patients and staff members have been required to pay Bitcoin ransoms to prevent additional information from leaking.
Another violation in March 2019, shortly before the sale of the company
Initially, the company stated that the violation only affected data received before November 2018.
The board announced Monday that an internal probe had determined the second breach had occurred in March 2019. It appears that Tapio was aware of the breaches and deficiencies in the psychotherapy providerโs information security systems at the time.
After the 2019 cyber attack, Vastamo’s security was strengthened. However, its current board and major shareholder were not notified of the March 2019 security breaches or security vulnerabilities.
Also on Monday, PTK Midco, the main owner of Vastamo, started litigation related to the acquisition of Vastamo in May 2019. PTK Midcon is owned by the Helsinki-based private equity company Intera Partners.
No “critical security vulnerabilities” found in spring 2019
In April and May of the same year, an external company performed an audit of Vastamo’s IT systems in connection with the acquisition. That probe found several areas for improvement, but no critical security vulnerabilities. According to the respondent, it has since been constantly updating its information systems.
When the company’s management first became aware of the blackmail activity at the end of September, the security company Nixu was hired to inspect and update Vastamo’s security systems. It found no evidence of violations after March 2019.
According to the respondent, Nixu has made progress in its investigation and shared information with the National Investigation Bureau (NBI) and the Transport and Communications Agency (Traficom).
According to the respondent, it has launched several processes to support its customers, which are listed on its website.
Yle has not been allowed to comment on Tapio.
The afternoon newspaper Ilta-Sanomat first announced its dismissal.
Source: The Nordic Page