Abstract
This teaching case demonstrates the crucial role of information security and data protection in the digital era. To this end, we first discuss the importance of data protection and information security as essential business capabilities for modern organisations. We argue that approaching information security from a business model perspective, instead of a purely technical perspective, enables companies to better understand the value of data protection for ensuring business continuity and long-lasting business relationships with customers and partners. To support this viewpoint, we draw on the biggest data breach in the history of Finland that affected over 33,000 patients of Vastaamo Psychotherapy Centre. While the breach led to Vastaamo’s bankruptcy and financial and legal consequences for several stakeholders, the significance of the breach lies in its societal impact. The breadth and cruelty of the breach caused outrage across the country and led to raising consumer and industry awareness of cybersecurity. As such, this teaching case enables the audience to better understand the consequences of information security incidents on firms and their stakeholders.
Keywords
Case overview
On February 3rd, 2023, Finnish police announced that a 25-year-old man, suspected to be behind the Vastaamo data breach, has been arrested in France and will be returned to Finland for trial (Finnish Police, 2023). Suddenly, a spark of hope began to flicker that the attackers behind the biggest, and perhaps the most influential, data breach in Finland’s history, would be held accountable for stealing the sensitive personal information of over 33,000 patients of Vastaamo psychotherapy centre. Founded in 2008, Vastaamo had grown annually by two-digit numbers to become one of Finland’s major providers of mental health services with an annual revenue of 14 million euros (Hiilamo and Kukkonen, 2020). The company aimed to provide high-quality and rapid mental healthcare services while also lowering the threshold and difficulty of getting help for mental health problems. This was of particular importance as the public health care services on mental health were largely reported as suffering from a lack of personnel and resources, while also facing increasing demand, leading to longer waiting times and challenges in providing quality care (European Observatory on Health Systems and Policies, 2023). In 2020, Vastaamo offered its services via over 20 clinics and online channels and had approximately 400 people on its payroll (Hiilamo and Kukkonen, 2020). The company was a sub-contractor for Finnish public health services (Tanner, 2020), treating well over 10,000 customers annually; the number reached to 13,654 in 2018 (Hiilamo and Kukkonen, 2020). During the years, the company had received recognitions relating to its success, such as a ‘societal company’ certificate from the Association for Finnish Work in 2014 and chosen to the listing of fastest growing start-ups in 2016 by a commerce-oriented newspaper Kauppalehti (Association for Finnish Work, 2016).
In October 2020, it was announced that Vastaamo had been the subject of a data breach, in which attackers managed to steal personal information on more than 33,000 of its patients and their psychotherapy treatments (The Guardian, 2020; YLE, 2023). So far, this has been the biggest data breach in the history of Finland, a country which is known as a pioneer in digitalisation and information security. Soon after the attack, several reports by cybersecurity firms indicated that the data breach was not the result of a sophisticated attack but rather an outcome of Vastaamo’s inadequate information security posture. The news was especially shocking since in addition to healthcare being a highly regulated sector, Finnish companies must comply with national and international legislations including the General Data Protection Regulation (GDPR), which demands strict privacy and data protection measures from the companies that handle personal information of European citizens. 1 The breadth and cruelty of the breach caused outrage across the country, impacting various stakeholders, but most importantly Vastaamo’s patients. To describe the gravity of the breach to the victims, one legal representative representing approximately 1500 of the victims stated the following: ‘In some of the cases, the victim has taken their own life as it has become known that the information has been leaked to the public. Some have committed suicides during the criminal investigation of the breach. Then there are victims, who have told being very close to this as all this has been so crushing for them’ (Helsingin Sanomat, 2024). In addition, several of the victims noted that the breach had not only affected them but also people close to them, already because in the therapy sessions the patients had often discussed matters that concerned people such as their family members, relatives and close friends (Harju, 2023). Overall, the incident became among the biggest reported crimes in Finland, as more than 25,000 offences linked to the case were reported to the police by early 2021. In 2023, the investigation led to the arrest of a Finnish hacker, who is being accused of multiple charges ranging from gross breach of data to blackmail. The court is set to deliver its judgement in the criminal case on 30 April.
In the following, we first discuss key information security and data protection areas relevant for the case analysis. Then, we briefly introduce business model dimensions and discuss the importance of information security and data protection for firms’ value generation capabilities. In the end, we describe the Vastaamo data breach, its root causes and outcomes in closer detail.
Information security and data protection
Information security aims to protect information and data assets from unauthorised access, use, disclosure, disruption, modification or destruction (Andress, 2014). To this end, confidentiality, integrity and availability are three key objectives that must be addressed to ensure the least level of acceptable information security. Confidentiality is about preventing information leakage or protecting assets from those who are not authorised to access them. Integrity is about protecting our information assets against unauthorised modification or information corruption. Availability is the ability to have authorised access to assets or the information they handle whenever needed. To address these three objectives adequately, we must be able to authenticate and authorise those entities that should have access to our information assets. While authentication is about proving that an entity or subject is the one who claims to be, authorisation is about checking whether the entity has the right to access and perform a particular activity on the asset or not. If any of these security objectives are compromised, for instance, through a security incident or data breach, an asset might lose its value generation capability or cause economic, social, or legal costs for the asset owners. A data breach often compromises one or more of these objectives as reflected in the definition provided by the National Institute of Standards and Technology (NIST National Institute for Standards and Technology, 2020: 397): “The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for another than authorized purpose.”
Therefore, it can be said that a data breach mainly compromises the confidentiality of data and information assets; however, it can also lead to compromising availability and integrity objectives, by making assets unusable or unavailable for use or tampering with assets and making unauthorised changes to them. While a data breach can occur unintentionally, it is often the result of an intentional cyberattack by hackers or cyber criminals. As such, a data breach often starts with exploiting a vulnerability in the computing environment. Vulnerability is a weakness or flaw in the computing environment or any of its components that can be intentionally exploited by attackers or accidentally triggered and lead to the occurrence of a threat (Andress, 2014). In general, we have four types of vulnerabilities in a computing environment: (1) technology vulnerabilities, (2) human vulnerabilities, (3) physical vulnerabilities and (4) procedural vulnerabilities. Software defects and hardware misconfigurations are two of the most common technology vulnerabilities. Susceptibility to humidity and faulty door locks are examples of physical vulnerabilities, while unaware or ignorant users and deviant employees can be seen as human vulnerabilities. Finally, a defective access control policy or lack of proper incident management procedures are examples of procedural vulnerabilities. For example, a flaw in access control processes that allows unprivileged users to change the permissions on a file could allow an attacker or an insider to compromise information security and abuse assets. Therefore, to mitigate the risk of data breach and other security incidents we must identify and address all the known vulnerabilities associated with an information systems asset.
Attacks targeting data assets have been growing substantially in terms of number, sophistication and impact. A report published by European Union’s Agency for Cybersecurity (ENISA), shows that cyberattacks for gaining unauthorised access and manipulation of data (i.e. data breach and data leak) were among the prime threats in 2023 (Ifigeneia Lella et al., 2023). These attacks can cause various reputational, economic and social consequences for their targets. As shown in the past, for instance, in the Target case (Pigni et al., 2018), a data breach can lead to negative publicity and damage a firm’s reputation, while causing hundreds of millions of direct and indirect financial losses. In addition, considering their nature, data breaches can have a devastating negative impact on society and the public. The finance and health sectors are primary targets of cyberattacks, aiming to cause a data breach or data leak for gaining unauthorised access to customers’ personal data. Finance and health sectors are lucrative targets for cybercriminals who are interested in financial gains (Poyraz et al., 2020), since customers’ personal data can be traded in the dark net or used as leverage for demanding ransom from companies. As a result, data breaches that involve customers' personal information can cause hundreds of millions of financial costs, for instance, to recover the compromised assets or to cover fines for non-compliance with regulations such as GDPR. The average cost of a data breach is estimated to be 2.1–5.7 million USD (Poyraz et al., 2020). While these costs can be ‘negligible’ for big techs and large corporates, they can be detrimental for small and medium-sized (SMEs) companies, which have become the primary target of attackers in recent years. A survey by McKinsey shows that 60% of SMEs think that they would most likely go out of business if they were subject to a data breach. The same report shows that, in 2021 almost 10% of the respondents stopped collaborating with a supplier that has been a target of data breach (Aiyer et al., 2022). Therefore, it becomes evident that protecting customers’ data and personal information is a crucial mission for data-driven and digital businesses.
Information security and its impact on companies’ value generation capabilities
Traditionally, organisations have considered Information Technology (IT) as a support function for creating and delivering value through non-digital products and services (Carroll et al., 2023). From such a perspective, information security has been considered an unnecessary by-product (Whitman, 2003) that can be addressed by implementing technical solutions such as antivirus software, firewalls, network segmentation, etc. Therefore, in the past, organisations have mostly focused on addressing information security risks through heavy investments in implementing technical security solutions instead of integrating information security into their business processes (Datta and Acton, 2023).
However, this traditional view does not suit the digital era, where data and digital solutions are at the core of many organisations’ business strategies and operations. Nowadays, organisations heavily rely on collecting and processing vast amounts of data to create, deliver and capture value. Thus, understanding how to handle information security and privacy threats and risks is an essential business capability for digital organisations (Rothrock et al., 2018). In addition to implementing technical security controls, organisations must be able to integrate information security into their operations and activities (Datta and Acton, 2023). To this end, we argue that approaching information security from a business model perspective enables organisations to better understand and consider the importance of protecting information and data assets for their survival.
Generally speaking, a business model provides a holistic and simplified overview of how a firm operates in its socio-economic ecosystem to achieve its business objectives through value-generating processes and activities (Al-Debei and Avison, 2010). Business models consist of four components shown in Figure 1: value proposition, value chain, revenue model and value architecture (Al-Debei and Avison, 2010; Gassmann et al., 2014). Business model components (authors' work).
The value proposition component includes a description of the services and products an organisation offers or intends to offer to address specific customers' or users' needs. The value chain depicts an organisation’s relationships with its stakeholders (e.g. end-users, customers, partners and authorities), defining the position and role of each stakeholder in this multi-party network as well as the mode and nature of collaborations between them. The revenue model defines how a company generates revenue through value proposition and what are the costs involved in this process. Finally, the value architecture component provides a holistic overview of an organisation’s technological and organisational infrastructure. As such, the value architecture is the digital and organisational infrastructure, comprising all the information and data assets of an organisation, alongside technological and organisational capabilities, that enable a company to leverage those assets to generate and deliver value to its customers over time.
For an organisation to be successful, all the business elements must be coherent and aligned with an overarching mission statement and business strategy (Al-Debei and Avison, 2010). However, considering that nowadays information and digital technologies are at the core of organisations’ business operations, it is almost impossible to imagine that companies could create and deliver value to their customers without protecting their information and data assets as well as technologies and processes that leverage these assets. Information security incidents and data breaches mostly target the value architecture dimension (i.e. data and information systems), they often damage a firm’s reputation among its stakeholders (i.e. value chain), interrupt its services (i.e. value proposition), and cause financial losses and costs for the company (i.e. revenue model). For instance, previous research has shown that trust in a service provider plays a key role in a long-lasting and stable relationship between consumers and the service provider (Coulter and Coulter, 2002), especially in the case of personalised services, such as psychotherapy and mental health support, where the value is generated based on self-discloser of sensitive personal information about the user (Klossner et al., 2023). Considering the sensitive nature of topics discussed in a psychotherapy session, the service providers must create a safe environment in which the patients are enabled to openly discuss their most personal topics without any fear or privacy concerns. To that end, addressing users’ privacy concerns, in terms of protecting their personal information, can help service providers gain customers’ trust and consequently maintain their business relationships (Klossner et al., 2023). Failure to protect customers' data and information can negatively affect their trust in the service providers which can ultimately lead to significant losses for the company. In addition, protecting information assets, especially customers’ data, is mandated by many national and international laws and regulations. For instance, the GDPR is an essential data protection and privacy law that must be considered by all the companies located or operating in the European Union (EU). Approved in 2016 and implemented in 2018, GDPR focuses on strengthening EU citizens’ rights in terms of protecting their personal information and gaining control over their data. This has led to tremendous changes and investments in data collection and processing practices of the firms that operate in the EU, mainly to avoid fines and sanctions associated with GDPR non-compliance which can reach up to 4% of a company’s annual global turnover or EUR 20 million, whichever is greater (Poyraz et al., 2020). A recent report by Thales shows a correlation between investment in compliance and resilience against data breaches, implying that improved compliance leads to better security outcomes (Thales Group, 2022). Still, in recent years many companies have faced lawsuits and hefty fines due to non-compliance with GDPR. For instance, in 2023, the Irish Data Protection Authority issued a 1.2 billion euro fine for Meta, due to transferring Facebook’s users’ personal data to the United States (European Data Protection Board, 2023).
Therefore, managers and board members must understand the threats and risks associated with data breaches and consider them in their business strategies (Rothrock et al., 2018; Von Solms and Von Solms, 2018). In other words, they must recognise the need for business-driven security strategies that determine the appropriate level of security needed to protect data and information assets while supporting innovation and business continuity. In the following sections, we demonstrate how neglecting this crucial consideration led to the bankruptcy of a fast-growing psychotherapy centre in Finland.
Vastaamo data breach
According to public records, in at least two separate intrusions, first in December 2018 and another one in March 2019, an attacker was able to gain unauthorised access to Vastaamo’s database. This database contained, personal information (e.g. social security numbers) of approximately 33,000 patients, confidential therapy records (e.g. notes from the therapy sessions) and information on Vastaamo’s employees (Kärkäinen, 2020). Due to Vastaamo’ inadequate information security monitoring and logging practices, post incident investigation has been challenging, especially since it was difficult to deduct the exact time and count of the data breaches, the network addresses the attack originated and the methods used in the attack (Office of the Data Protection Ombudsman 2021). However, according to the National Bureau of Investigation it seems that during the first attack in December 2018, the attacker retrieved the data from the database, later on to be used to blackmail the patients.
In the second intrusion in March 2019, the attacker tampered with databases containing patient and employee information and made it unavailable for Vastaamo. In addition, the attacker left a ransom message demanding 40 bitcoins, at the time approximately worth 450,000 euros, for returning the data. The company refused to pay, and while Vastaamo introduced some security measures right after the second breach in March 2019, it did not inform the Data Protection Ombudsman of the breach, as demanded by GDPR.
As Vastaamo did not comply with the ransom demands, the attacker focused the efforts to extort the patients, whose data had been stolen. On average 30,000 Vastaamo’s clients were approached, demanding a ransom ranging from 200 to 500 euros (Ralston, 2021). To strengthen the threat, the attacker made patient records and notes from sessions of more than 2000 Vastaamo’s customers public (Hämäläinen and Rummukainen, 2020; The Guardian, 2020) as shown in Exhibit 1. However, all the retrieved data were soon made public by the attacker to the dark web. This was most likely due to the carelessness of the attacker while intending to create a program to release the data in batches of 100 patients per day. After the attacker threatened to make the breached data publicly available online, Vastaamo reported the crime to the police in September 2020. As the data became public, the company was forced to make a public statement on what had happened 1 month later in October of the same year. The announcement published by attackers about the data breach (source: Hämäläinen and Rummukainen, 2020).
The public records and reports by several cybersecurity firms point out a number of system vulnerabilities and mistakes in the Vastaamo case, which on their part enabled the incident to occur. For instance, Vastaamo’s software system handling the stolen data was developed by the founder and Chief Executive Officer (CEO) of the company, Ville Tapio, described as a self-taught programmer (Hämäläinen and Rummukainen, 2020). No outside experts were utilised in the process, for instance, to make sure the system’s security met standard security requirements for such a system. Later on, when the system was operational, the company did have two IT personnel on its payroll, who were also responsible for the system’s security. However, both of them were on zero-hour contracts and stated that security was not an area that was seen worth spending by Tapio as the focus was more on developing new features onto the system (Ruonakoski, 2023b). Tapio later claimed that there were several information security features and measures built into the system, but they were turned off, possibly by an employee of the company. However, it was difficult to establish whether this had been the case.
In the past, Vastaamo's database managements system had experienced unexpected shutdowns (Noori, 2022). As a result, the IT personnel administering the database enabled remote access to the database in 2017, allowing the restoration of the database to be done, for example, from the database administrator’s home if that had to be done at late hours (The Guardian, 2020). In essence, this meant that the servers hosting the databases could be accessed over the internet from any location. The IT personnel also claimed that Tapio had the habit of making changes to the code directly by himself and no version control was used to develop the system. The remote access thus also enabled Tapio to do the changes from any location (Ruonakoski, 2023b). According to a news article (Ruonakoski, 2023b), one of the IT personnel has stated:
“It [the system] was built on a web software called Symphony, even using the older version of it. Ville [Tapio] also wanted that you can use it conveniently from the outside.”
Ville Tapio denied the accusations and claimed that the IT personnel had acted on their own without informing him and were responsible for enabling the incident to occur (Ruonakoski, 2023a).
In the aftermath of the attacks, a cybersecurity company Nixu was hired by Vastaamo to conduct an information security audit and to upgrade Vastaamo’s information security systems (YLE, 2020, FINLEX, 2021). Through their investigation, Nixu confirmed that the server hosting the IT system was not protected by a firewall, which made it vulnerable to outside attacks via the network. This had been the case for 1.5 years, from 2017 to 2019 (Office of the Data Protection Ombudsman 2021). It can be assumed that during this time, the server had been found by the attacker with the help of network scanning tools.
In addition, the company did not seem to have proper access control policy and practices, for example, to enforce multifactor authentication and use of Virtual Private Network (VPN) for remote access to the server containing patients’ records. Besides, there were two user accounts with access the database, and the password for one of the accounts did not meet the general requirements for a strong password. When the first attack took place in 2018, the ‘user account of the [patients’ record] database had not been password protected’ (Office of the Data Protection Ombudsman 2021). Furthermore, at the company level, there were no requirements for employee passwords nor were there anti-malware software installed on the employees’ computers. Due to these factors, the attacker had easy access to the server hosting the database.
The information on the database was not anonymised nor encrypted either, meaning that whoever had access to the database was able to read its contents and link those to the corresponding patients (Ralston, 2021). No logs of system events or transactions were collected or stored for a long enough time. This also meant that in the aftermath of the attack, it was cumbersome to establish factors such as the origin or exact time of the breach or how exactly it was carried out (Office of the Data Protection Ombudsman 2021). After the second breach in March 2019, in which the database was removed and a ransom message was left by attacker, one of the Vastaamo’s IT personnel proceeded to patch vulnerabilities identified in the database. However, by this time the damage was unfortunately already done.
Overall, it was stated in Nixu’s report that Vastaamo had not maintained nor updated the system containing the patient information database so that it would be on par with industry standards and key security procedures (FINLEX, 2021). For instance, healthcare information systems in Finland are divided into two classes, A and B. Systems in class A are connected to Kanta Services, a centralised service enabling health information exchange across stakeholders such as healthcare providers and citizens. These information systems in class A, and with that, their related security measures and features, are checked thoroughly by the officials before joining Kanta and monitored afterwards. 2 Vastaamo on the other hand operated its IT system to store patient data, including their personal information and notes of their therapy sessions. As it was not connected to Kanta, the system was an instance of class B, and the system was not subjected to external audits nor regular information security checks (Hiilamo and Kukkonen, 2020). For a system in class B, it suffices for the system’s producer to write a report on the implementation of key system security requirements (Kanta, 2018).
Vastaamo also failed to have or comply with many standard processes concerning data breaches and breach prevention. To begin, the company did not inform the authorities immediately after detecting the breach, as required by regulations. It also emerged that there was no documentation on who had been granted access or from whom it had been withdrawn. Similarly, no external audits had been conducted to evaluate Vastaamo’s cybersecurity preparedness and identify its information security shortcomings and needs. Vastaamo had no established incident management procedures or processes for dealing with security incidents and data breaches. Even though the post incident investigations recognised a document entitled ‘Psychotherapycenter Vastaamo Oy’s actions in a data breach scenario’, there was no evidence (e.g. a date) showing that the document was created before the attacks (FINLEX, 2021). Besides, the document did not even fulfil the basic criteria of an incident response plan, as it did not explain, among other things, how to prevent, report and recover from a breach.
Aftermath
The breadth and cruelty of the breach caused outrage across the country, impacting various stakeholders. Most impacted were naturally the over 33,000 Vastaamo’s customers, whose private information was made public. In addition to the pain caused by the leak of highly sensitive information, these people also became more vulnerable to possible identity thefts in the future as their personal information was available on the dark web. The breadth of the breach was also reflected in the statement made by the country’s president at the time, Sauli Niinistö, as reported in a news article (YLE, 2020a): “This concerns us all. From any of us, there is so much information being gathered on different platforms. It also touches us through our inner selves, which we seek to guard. Now that part of us has been injured.” - Sauli Niinistö, Finnish President (2012-2024)
Overall, the incident became among the biggest reported crimes in Finland, as more than 25,000 offences linked to the case were reported to the police by early 2021 (Ralston, 2021).
Information started also to emerge that Vastaamo’s handling of the case as well as their information security was far from perfect. Shortly after the breach had become public, Vastaamo’s CEO and its founding member, Ville Tapio, was fired by the board of directors. Among other things, he was accused of hiding the breach when in 2019 he had sold Vastaamo for slightly over 9.5 million euros to the holding company PTK Midco (YLE, 2020b).
Kela, the Finnish Social Insurance Institution that is responsible for settling benefits under national social security programs, announced in November 2020 that it will no longer refer new patients to Vastaamo. At the time, 2200 of Vastaamo’s customers’ therapies were financed by Kela. Vastaamo also announced that some of its therapists had decided to leave the company, while customers started to quit their treatment (YLE, 2021).
Vastaamo filed for bankruptcy in February 2021. At the time, it had assets worth 2.2 million euros while its undisputed debts reached 5.9 million. In addition, the company was expected to received hefty fines and pay compensations to the parties who were influenced by the data breach (Svahn and Karppi, 2021). Eventually, the victims only got a small compensation of 90 euros each from the bankruptcy estate of Vastaamo, while the company received a 608,000 fine for non-compliance with the GDPR (Office of the Data Protection Ombudsman 2021). In 2022, the then ex-CEO Tapio was sentenced to pay eight million euros as compensation for PTK Midco, and later in 2023, to a probation of 3 months for a data protection offence. The business of Vastaamo was sold to another company called Verve, which had assured that all Vastaamo employees would be guaranteed to keep their jobs. Patient records and IT systems were not included in the sale (Svahn and Karppi, 2021).
Several actors and entities such as cybersecurity companies offered their help to identify and catch the attacker. In 2023, the investigation led to the arrest of a Finnish hacker. He is being accused of multiple charges ranging from gross breach of data to blackmail. On 9.3.2024, it was announced that 1200 of the data breach victims had signed a settlement agreement with the hacker to ‘circumvent civil lawsuits and enable victims to receive compensation without enduring lengthy court proceedings’ (YLE, 2024).
Discussion questions
1. Analyse the firm’s business model and security needs by answering the following questions: 1. What is the value proposition of the company (i.e. offerings)? 2. Who are the main customers and stakeholders of the company (i.e. value chain)? 3. How is the revenue generated and what are the main costs of the business (i.e. revenue model)? 4. What are the most important assets of the company in terms of business value generation (i.e. value architecture)? 5. What are the least security objectives (e.g. availability, confidentiality) that must be ensured to leverage the assets’ value generation capability to achieve the firm’s business mission? 6. What are the costs and consequences of compromising the security objectives of these assets? 2. Analyse the attack by answering the following questions: 1. Which specific vulnerabilities were exploited by the attackers? 2. Which assets were tampered with and which of the main security objectives (e.g. availability, confidentiality) were compromised? 3. How did the compromised assets affect the firm’s business model dimensions (e.g. value proposition)? 3. Analyse the company’s response to the attack to answer the following questions: 1. Which stakeholders were affected by the attack and what were the consequences for them? 2. What was the public’s reaction to the firm’s response?
Footnotes
Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.
Notes
Author biographies
Assistant Professor
Postdoctoral Researcher
