Skip to content
Naked Security Naked Security

Ex-CEO of breached pyschotherapy clinic gets prison sentence for bad data security

Did the sentence fit the crime? Read the backstory, and then have your say in our comments! (You may post anonymously.)

We’ve said this before, but we’ll repeat it again here:

Imagine that you’d spoken in what you thought was total confidence to a psychotherapist, but the contents of your sessions had been saved for posterity, along with precise personal identification details such as your unique national ID number, and perhaps including additional information such as notes about your relationship with your family…

…and then, as if that were not bad enough, imagine that the words you’d never expected to be typed in and saved at all, let alone indefinitely, had been made accessible over the internet, allegedly “protected” by little more than a default password giving anyone access to everything.

That’s what happened to tens of thousands of trusting patients of the now-bankrupt Psychotherapy Centre Vastaamo in Finland.

Crooks found the insecure data

Ultimately, at least one cybercriminal found his way into the ill-protected buckets of information.

After stealing the data, he decided to blackmail the clinic for €450,000 (then about $0.5M); when that didn’t work he stooped lower still and tried blackmailing the patients for €200 each, with a warning that the “fee” would increase to €500 after 24 hours.

Patients who didn’t pay up after a further 48 hours, the blackmailer said, would be doxxed, a jargon term meaning to have your personal data exposed publicly on purpose.

The extortionst apparently threatened not only to leak the sort of information that could cost the victims money due to identity theft, such as contact details and IDs, but also to spill those saved transcripts of their intimate conversations with therapists at the clinic.

Although a suspect in the blackmail part of this case was arrested in France in February 2022, following the issuing of an international arrest warrant, that wasn’t the only interest taken by Finnish law enforcement.

Victim as perpetrator

Even though the clinic was itself the vicitim of an odious cybercrime, the ex-CEO of the clinic, Ville Tapio, faced criminal charges, too.

As well as failing to take the sort of data security precautions that any medical patient would reasonably assume were in place, and that the law would expect…

…it seems that Tapio knew about his company’s sloppy cybersecurity for up to two years before the blackmail took place in 2020.

Worse still, he allegedly knew about the problems because the clinic suffered breaches in 2018 and 2019, and failed to report them, presumably hoping that no traceable cybercrimes would arise as a result, and thus that the company would therefore never get caught out.

But modern breach disclosure and data protection regulations, such as the GDPR in Europe, make it clear that data breaches can’t simply be “swept under the carpet” any more, and must be promptly disclosed for the greater good of all.

Well, news from Finland is that Tapio has now been convicted and given a prison sentence, reminding business leaders that merely promising to look after other people’s personal data is not enough.

Paying lip service alone to cybersecurity is insufficient, to the point that you can end up being treated as both a cybercrime victim and a perpetrator at the same time.

Have your say

Tapio received a three-month prison sentence, but the sentence was suspended, so he isn’t heading directly to jail.

Did he get off lightly, particularly considering the sensitivity of the data that his company’s patients thought they could trust him with?

Have your say in the comments below…


26 Comments

An eye for an eye and a tooth for a tooth. He should have been sentenced to a year in jail while undergoing psychotherapy and then had his recorded sessions released to the public.

I don’t see the point of any suspended prison sentence. Is this supposed to scare anyone? Was there also a financial penalty?

The company got fined (and went bankrupt). As far as I know, prosecutors argued and the court accepted that a fine without a prison sentence would not be a suitable punishment. Whether getting a prison sentence precludes also being fined, I can’t say. I suppose he could still be sued in civil proceedings, with the conviction and prison sentence acting as a pretty clear indicator of the seriousness of the matter.

and it shows the government had already found him guilty, so he has little to no wiggle room to get out of his responsibilities.

Well, the government being part of the executive rarely takes part in the court (unless being sued). Also it happens regularly that courts disagree with the government (think of supreme court in US for example), I wouldn’t think that a court really cares about the position of the government.

Also, it’s also not uncommon that different courts come to different results, see O.J. Simpson for example.

He should serve the sentence. Otherwise, there is no meaning in sentencing someone to jail and letting him free.

Although it feels like a “let off”, suspended sentences are still prison terms, but ones where the convict is effectively on parole from day one. (I nearly said from day zero, but that could be confusing in a cybersecurity story.)

So they are suspended in the sense of “the Sword of Damocles”, not in the sense of “being given support”.

I don’t know the details in this case, but suspendeds often last for a lot longer than the sentence itself, so although the perpetrator has a chance to avoid prison entirely, they are ultimately not actually “free and clear” anywhere near as quickly as if they actually did the time.

Tapio didn’t have any previous convictions, so I guess the court figured that fear of prison (with a fighting chance of avoiding it altogether through playing by the rules) was more likely to prevent him re-offending than being sent to prison, suffering total life dislocation, and then abruptly getting released later on and going through a second, possily even more complicated, dislocation with no job and few prospects.

That said, there’s still the question of whether three months was significant enough (apparently the prosecutors argued for nine months, suspended), or whether some kind of community service somehow helping people who had been screwed over by online crooks would have been more useful and appropriate? (Cleaning up in care homes for elderly folks who landed there after losing everything, including their confidence, to identity theft, perhaps?)

If that’s all he gets is a slap on the wrist then what’s to stop others from doing the same?

Suspended sentences are common in Europe for first offenders who are not involved in crimes of violence. He will still get a criminal record and will have trouble finding another job, especially at the same level. He may also be sued.

Astonishing!! No malpractice law, and the consequent army of ambulance chasing lawyers, in Finland?
As an MD exposed to the medical practice in Canada and these US of A, I consider this a severe tort against the patients, and the sentence an “up yours and into your face” to the Finnish public! No wonder there is such a growing antipathy against the medical profession, when such an instance of blatant malpractice gets just about all but approved by the legal system … These are trying times when man strives hard not to be ashamed of his humanity, and a MD must try hard not to be ashamed of his profession! No need to mention the so called ‘justice’ …

The real crime here was not the weak security but the fact that the material was recorded digtially or on-line at all. The GDPR makes specific requirements for the recording of sensitive data and the data controller should be able to justify the retention of such data in any form. Sadly this is another area where GDPR fails the data subject dispite the fact that it is any area where there could be more proactive engagement by the authorities. One wonders about the data controller registration and the level of scruitiny given to the registration!

What’s not clear is whether the company told patients (or at least had it in a contract term somewhere) that conversations would be recorded and stored in some form.

Quite why anyone would agree to their therapy sessions being recorded at all is unclear to me…

…but I agree with your sentiment that this really should be as good as impossible to justify, no matter how confident the company thinks it can be in its security, and no matter how well-placed that confidence might be.

If you never collect it in the first place, you can’t lose it later…

If the court planned to suspend the sentence then the court should have made the term meaningful. I believe serving 3 months in jail would have been insufficient; one year would have been more appropriate. But since it was going to be suspended anyway, why would the court have chosen such a trivial period? If the ex-CEO complies with the terms of the suspension he will not see any time in jail, so his period of “supervision” should have been meaningful.

If Tapio is (was?) a licensed medical professional and his medical license wasn’t permanently revoked for serious malpractice it should be.

Does he get to keep his license to practice? Suspension or cancellation of license might be a far worse penalty than a 3-month vacation with room-and-board.

Losing his licence to practise what, exactly? (Ah, the double vagaries of US versus UK spelling! Sometimes, you demand S where we require C but at other times we insist on S when you want C.)

How many CEOs these days are qualified in the primary field of the business they run (and, if the truth be told, why should they be)?

How many hospitals these days are run by people with an MB BCh (or MB ChB, or MD, or whatever a medical degree is called in each reader’s country), and how many are run by MBAs?

So he may not have a medical practioner’s certificate to lose. And anyway, once a Doc has gone up and over into business CEOhood, how likely would they be to go back into nursing or doctoring if the CEO thing fell through?

As a previous commenter said, he may now find that his reputation makes it hard for him to get similar work (and executive authority over other people’s data) again, and that itself might help prevent him reoffending…

Non attorneys cannot share legal fees or have an ownership stake in law firms. They don’t have the same ethics-bound relationship with clients that attorneys do. They’ve taken no oath. Why shouldn’t medical practice be the same?

You have to ask the question “when is a prison sentence not a prison sentence?” A suspended sentence is no deterrent at all.

I’m pretty sure that most people really, really, REALLY don’t want to go to prison even for a moment, so you may find that suspended sentences act as very good deterrents. (To be clear, that is based on speculation, not on personal experience!)

I’ve not looked at any stats but if any of our readers who are criminologists (or better yet, cybercriminologists) have studied this issue, we’d love to hear from you…

In Germany, some young clan-criminals get one suspended sentence after another, without ever going to jail. Doesn’t seem like a big deterrent.

The good part is that an officer of a company was made personally liable for a criminal act. It would seem that some senior officers in companies are happy to accept more responsibility when it comes to calculating bonuses than when it comes to accepting responsibility for company failures.

As to the length of sentence, it seems a little short given the highly sensitive nature of the information that was stolen and the effect that could have on people’s lives. Whether or not it should have been suspended probably affects our sense of justice more than it does the likelihood of re-offending, and if there had been a public protection issue he would probably have been sentenced differently.

This POS should do the time. 3 months it not that long for the 3 breaches discussed in the article. These idiots only get it when there are PERSONAL consequences to them.

Should have made a better example of him and sentanced him to a few years hard time. Knowingly ignoring responsibility should hurt.

Real consequences of hard time would have a way of deterring blatantly bad or non-existent cyber protections. In the US we have firms like TMobile and others breached repeatedly and likewise no consequences

If you think of incarceration as a way of separating violent criminals from the general public for the purpose of both protecting the public from the criminal and for investigating the potential rehabilitation of the offender in an isolated environment, then a suspended sentence is absolutely appropriate in this case.

If, on the other hand, you think of incarceration like some sort of “time-out” for naughty adults who misbehave, then I’m sorry to have to tell you that your childish understanding of incarceration is just that: childish. The notion that a person can somehow “pay their debt to society” simply by sitting in a jail cell for several years is ridiculous. All they so is sit around with other, more dangerous, criminals and brainstorm ways to not get caught next time, all while costing taxpayers MORE money for their free healthcare, free education, free food, and free housing.

Massive fines, asset forfeiture, and prohibitions from ever serving as a consultant or executive officer for a company are all much better ways of preventing a repeat.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?