Please fill in the form below to subscribe to our blog

Will the Vastaamo Patient Data Breach Set a GDPR Penalty Record?

November 03, 2020

Failure to Protect Sensitive Data Could Set Medical Providers Up for Fines That Set a GDPR Penalty Record


Do companies have a special obligation to protect extremely sensitive personal data like medical records? Legislatures around the world have often said yes, enacting stiff penalties for failure to take adequate precautions against cybercrime or noncompliance under statutes like HIPPA and the GDPR. So what happens when a company fails to meet its obligation? If recent penalties enacted are any indication, they could be looking at enormous fines that set a new GDPR penalty record.


Extra Sensitive Data Requires Extra Strong Protection


Protection of healthcare data is one of the most fundamental expectations that patients have from their care providers. Even before electronic recordkeeping, many countries had laws in place to require certain data handling procedures, regulate who could access those records, and punish medical providers that failed to protect the privacy of patient records.

In the electronic recordkeeping era, those restrictions have grown even tighter, with strict rules regulating access and compliance for data handling and storage – with equally stiff consequences for failure to protect patient data. Even as threats including attacks by nation-state actors and ransomware became a menace for hospitals and clinics, regulators were quick to punish medical care providers who fell victim to cybercrime that allowed bad actors access to patient data.



Even a Small Medical Data Breach Costs a Fortune


That’s still the case, and as threats escalate so do penalties. After falling victim to a ransomware attack in 2016, Athens Orthopedic Clinic PA was fined $1.5 million to settle HIPPA violations after the data of more than 138,000 patients was exposed. It doesn’t even have to be criminal activity that sets a medical provider up for trouble. In July 2020, Lifespan Health System in Rhode Island was fined more than $1 million for a breach caused by an unsecured laptop.

GDPR penalties are a potential minefield for companies in any industry that fail to protect personal data, but healthcare providers and other organizations that handle medical data are held especially stringently to the required standards in an increasingly dangerous cybercrime landscape. No one wants to set a new GDPR penalty record as a healthcare provider considering some of the recent enormous penalties for violations.The Warsaw University of Life Sciences was fined €11,200 for a single lost notebook full of patient data from a study. The Municipality of Rælingen, Sweden was fined €46,660 for failure to secure children’s health data collected as part of a program.


Vastaamo Breach Ups the Ante


Now, a new patient data disaster is creating a buzz about potentially whopping GDPR fines. In an unusual data breach in Finland, Vastaamo, a chain of psychotherapy and mental health clinics, suffered a massive data breach last year. The breach affected sensitive information for more than 400,000 patients, including diagnosis and treatment data, care provider notes, and session records.

But that’s not the strange part. The chapter of this story that takes this breach from serious to ground-breaking happened last week when the cybercriminals responsible started trying to ransom the data. But not just from the business – they also asked for ransoms from the affected patients themselves. On October 21, 2020, the cybercriminals started releasing the stolen data after their demands were not met, sending shockwave s through the medical community.

So, what can we expect to be one outcome of this epic saga? Possibly a new GDPR penalty record for medical care providers? Failure to take proper precautions against ransomware and other types of cybercrime will hurt. Likely, the provider, which has changed hands since the initial data breach and is now a subsidiary of Intera Partners, will certainly be facing an enormous GDPR penalty in addition to penalties accrued at other regulatory levels. While the penalty won’t likely reach the levels achieved by Google or British Airways, it’s bound to be enormous to emphasize the seriousness of compliance with regulations and best practices when handling extremely sensitive consumer or patient data.


Ransomware 101 eBook

Don’t let your profits get kidnapped by ransomware. Learn how to defend against today’s scariest threat now!

DOWNLOAD OUR NEW EBOOK RANSOMWARE 101


Don’t Join This Club


Full compliance with increasingly byzantine data privacy regulations in many industries can require expert help. However, a few basic cybersecurity solutions can put you on the road to compliance fast, acting as both a safeguard and a growing layer of protection for your business while you consult with those experts, like the ones at ID Agent.

Ransomware attacks have climbed worldwide by more than 40% in 2020 The nasty cargo is most commonly delivered through a phishing email, specifically in a spear phishing attack. There’s no doubt that phishing is today’s biggest cybersecurity risk when more than 90% of incidents that end in a data breach starting with a phishing email.

Protect your business from ransomware with efficient, effective security awareness and phishing resistance training using BullPhish ID. Not only do we have more than 80 complete, plug-and-play phishing simulation training kits available, but we also add 4 new ones every month to make sure that your staff is up to date on the latest threats. Our training materials also include engaging videos in 8 languages and online retention testing, making BullPhish ID perfect for in-office or remote workforce training.



Secure identity and access management is also an essential component of keeping sensitive information out of the wrong hands. CISOs around the world agree that secure identity and access management has to be a top priority for 2021. It’s a real requirement, and a cybersecurity best practice, for any company that wants to keep systems and data safe in a cost-effective way.

A multipurpose solution like Passly is extremely effective for guarding access points into your systems and data. Not only is multifactor authentication a cybersecurity best practice and a data privacy compliance requirement in many industries, but it’s also a fast, easy way to add extra safeguards that defang a password that’s been compromised through phishing. For extra access control, single sign-on launchpads empower IT staffers to quickly remove access from a compromised account, isolating it to prevent further damage.

Compliance with the GDPR, or HIPPA, or any of the many data privacy regulations in place in states like California and nations like Japan isn’t as tricky and expensive as you might think. Through using basic cybersecurity tools and following sensible cybersecurity best practices combined with a healthy dose of security awareness training, and with a little help from an expert like our ID Agent advisors, any organization can put their best foot forward to maintain data privacy compliance to avoid devastating fines.

Coronavirus Protect Your Data

See demo videos of our solutions at work>>

Book a consultation today with an ID Agent cybersecurity expert>>