The processing of the unlawful access to Vastaamo’s information system in the National Prosecution Authority
Support for data breach victims
Victim Support Finland provides practical advice in criminal matters and discussion support. All services are free of charge.
- Victim Support Finland 116 006 serves in Finnish Mon–Fri from 9 a.m. to 8 p.m. and in Swedish from 12 noon to 2 p.m.
- RIKUchat is available on weekdays from 9 a.m. to 3 p.m. and on Mondays also from 5 p.m. to 7 p.m.
- Legal advice serves Mon–Thu from 5 p.m. to 7 p.m. at 0800 161 177
Special advice and instructions for the victims of the Vastaamo case
Have you received a letter stating that your email address has been on the list of the Vastaamo data breach?
According to our information, a ransom message may have been sent to your email. The police have not been able to determine whether you were actually a customer of Vastaamo. In other words, we have information that attempts have been made to send messages to certain email addresses, but we do not know if the message has been delivered.
The appearance of your address on the blackmailer's list may also be related to situations where, for example, Kela (The Social Insurance Institution of Finland) or municipalities have directed customers to Vastaamo for treatment, but the therapy did not take place.
If you have not been a customer of Vastaamo, you do not need to worry about the letter you received.
Why wasn't I informed of this earlier?
At the beginning of the preliminary investigation, the police were only able to contact those who had filed a criminal report. The police did not have information about who else had been customers of Vastaamo. In the final stages of the investigation, a breakthrough occurred, and the police found out to whom all the Vastaamo customers the ransom message had been sent. Due to the huge number of victims, the police and the prosecutor's office decided to focus the criminal investigation only on those who had filed a criminal report. Therefore, last year the police publicly encouraged anyone wishing to participate in the criminal process to file a criminal report.
You are receiving this information now because the authorities are required to send a notice to everyone whose email address has been on the list.
I was a customer of Vastaamo, but I have not received a ransom message. What information about me could have leaked?
The blackmailer published almost all patient records of Vastaamo's patients accumulated until November 2018 on the internet. Patient records have been transferred to Kela for archiving, so you can check what information about you has been stored in Vastaamo's registers until November 2018 from Kela. If you want information from Kela, make a data request to Kela.
Information has not leaked from visits after November 2018. The blackmailer published all personal identification numbers and contact information of customers in Vastaamo's database. However, not all patients had a personal identification number marked, and some personal identification numbers were incorrect. If you suspect that your personal identification number has leaked, you can find instructions at www.suomi.fi/oppaat/tietovuoto."
A data request can be made to Kela in the following ways:
The patient records of the Psychotherapy Center Vastaamo have been archived to Kela. A customer can make a data request to Kela for documents transferred by secure email. The request can be made using the following forms:
- Request for documents on information stored in Kelas archive service for patient and client records (in Finnish)
- Application for the disclosure of information concerning a deceased person (in Finnish)
The data request can also be made without a form, in which case the customer must provide the following information in their message:
- surname and first names (including former names)
- personal identification number
- the requested information
- the service provider and the year of treatment
- the requester's phone number and address
The completed form or message containing the above information is sent via secure email to the address [email protected]. Kela forwards the data request to the City of Helsinki for disclosure of information. The City of Helsinki will contact the requester.
The City of Helsinki and Kela jointly manage the registry of patient records from Vastaamo. Kela is responsible for the storage and destruction of data and acts as a contact point for data requests. The City of Helsinki is responsible for other registry responsibilities, such as data disclosure.
Customers have the right to check what information has been stored about them in Kela's registers. Read more about data protection and the processing of personal data at Kela (Information about Kela section).
Instructions for using secure email (kela.fi)