Quick quit Skip to content

Vastaamo Case from the Victim Perspective

This website is being updated. Read more: The processing of the unlawful access to Vastaamo’s information system in the National Prosecution Authority


The hacking of the patient database of psychotherapy centre Vastaamo was an unprecedented case in Finland, both in terms of extent and content. In this article we discuss a few scenarios the victims face. As the investigation is still ongoing, there are several possibilities. At the moment, all that victims can do is follow communications from the police and wait for instructions. The important thing is that the crime has been reported to the police and all documentation of possible damages have been filed.

Read more: What to do if your personal data has been leaked online

If you need conversational support and practical advice in criminal matters in English please contact Victim Support Finland using the contact form.

The police announced in November 2020 that over 25,000 victims had filed criminal complaints. The case is being investigated as aggravated hacking, aggravated invasion of privacy and aggravated blackmail.

The investigation is ongoing, but the hacker has not yet been caught. It is also unclear where there is one or more hackers involves. If the hacker is caught, they will be brought to justice, which in turn will offer victims a possibility to claim damages.

The hacker is not the only one who may be liable to pay damages, however. The General Data Protection Regulation of the EU (GDPR), which entered into force in spring 2018, contains strict rules regarding the collection, safekeeping and processing of personal data, and non-compliance with the rules can lead to sanctions. The GDPR specifies two roles for people or organisations that are in charge of handling personal data. One is a data controller, who determines the purpose and the method of gathering personal data, the other a data processor, who is in charge of safekeeping and processing of the data on behalf of the data controller.

The data controller responsible for most of the hacked personal data was Vastaamo. In this case, there are exceptions in which a health care organisation has outsourced services to Vastaamo, in which case the data controller is the organisation and Vastaamo is the data processor.

Under the GDPR, Vastaamo as data controller has also been responsible for protecting the data. This means that legal action can be brought against Vastaamo if it is considered to have violated its duty. In cybercrime, corporations are sanctioned with administrative penalties. Tomi Voutilainen, professor of public law at the University of Eastern Finland, says that in a case like this, the hacker would be tried under the Tort Liability Act, whereas Vastaamo would be tried under the GDPR and its provisions for compensation and liability.

Voutilainen points out that the liability for damages for Vastaamo and for the hacker are not for the same damages. For example, damages caused by the hacker that are no longer linked to the data controller cannot be considered the data controller’s responsibility. Awareness of this distinction is important also for victims in this case, because the compensation processes against Vastaamo and the hacker are quite different.

Currently the Office of the Data Protection Ombudsman is investigating wheter Vastaamo has neglected its duties involving data security and personal data or not. The results of the investigation are said to be released by summer 2021. Until then it is not reasonable to estimate the victims’ possibilities of getting compensation for damages from Vastaamo. Also because the police is still investigating the hacking it is too early to estimate how likely the victims will get compensation for damages from the hacker.

Possible action against the hacker

Tero Muurman, detective chief inspector at KRP (National Bureau of Investigation), says that victims should follow information issued by the police as regard the Vastaamo case and any instructions to victims.

We will of course try to provide as much information about the investigation as possible.

“It is, in practice, impossible to inform every victim personally about the process, because there is such a huge number of victims. We will of course try to provide as much information about the investigation as possible,” says Muurman.

According to Muurman, it is still too early to say whether it will be necessary to hear victims in the process. The police will basically question all victims, but owing to the number of victims in this case, it is likely that several different methods will be used to conduct the questioning.

“Contacting victims and questioning them does not require that we catch the hacker first, and we may well start doing so soon,” says Muurman.

According to Muurman, the current situation is that the police will contact victims only once during the investigation to gather information.

“In the case of some individual victims, we may of course need to ask additional questions.”

Because of the exceptional nature of the case and the large number of victims, the police are unlikely to expect victims to pursue the case actively. Generally speaking, we may say that, unless it is necessary to hear a victim in a trial, it is enough that the victim presents the court with a claim for damages in writing.

“The first point in time when a claim for damages can be made is when the victim is questioned by the police. The victim can state whether he or she intends to claim damages and if he or she intends to press charges against the offender. If the victim claims damages, the district court will send a letter to him or her prior to the trial, asking the victim to file the claim in writing. The victim can also present the claim for damages during oral hearing at the trial,” says Tuomas Soosalu, special public prosecutor from the prosecution district of Southern Finland.

According to Soosalu, the district court can also decide on compensation for damages in the victim’s absence. It is therefore up to the victim to decide whether to attend the trial or not.

On the other hand, the prosecutor can also consider it necessary to hear the victim at the trial, in which case the court will send the victim a summons to attend the trial.

“Trials are generally public occasions, and anyone can attend them. However, because the capacity of courtrooms is limited, it is possible that not everyone attend at the same time. The decision about what to do in a case when all victims cannot attend a trial simultaneously is made by the court,” says Soosalu.

What is Vastaamo’s liability?

All Vastaamo clients have the right to review what data concerning themselves are kept in the register and for what purposes. After receiving a request for such review, Vastaamo must issue a copy of the data in their register to the person making the request. The copy is free of charge, but if you want more than one copy, Vastaamo may charge you for the additional cost. Unfortunately, under current legislation it is not possible to erase all data from the register.

Under the GDPR, Vastaamo, in its role as data controller, is liable for material as well as non-material damage caused by the hacking, if it is found that Vastaamo has failed to comply with the GDPR. According to Voutilainen, material damage can take the form of financial loss, and non-material damage the form of mental distress. In the Vastaamo case, both forms of damage are possible.

Any administrative penalty to Vastaamo will be determined by the Office of the Data Protection Ombudsman, which will determine whether Vastaamo has violated the GDPR or not. If it has violated the regulation, the Data Protection Authority can impose a sanction on Vastaamo, such as an administrative penalty. The imposed penalty is payable to the state; it does not lead to automatic payment to the victim.

“The decision to impose an administrative penalty is made by the Data Protection Authority, and the decision mentions that Vastaamo has not complied with the requirements of the data protection regulation in its operations,” says Voutilainen.

If the Office of the Data Protection Authority decides that Vastaamo as data controller has neglected its duties involving data security and personal data, victims have two paths for claiming compensation from Vastaamo: through the courts or through out-of-court settlement.

The problem is that when there are so many victims, negotiating a deal is extremely difficult.

According to Voutilainen, an out-of-court settlement would be better for all parties, rather than a trial, but he points out that even a settlement is not without its problems.

“The problem is that when there are so many victims, negotiating a deal is extremely difficult. Seeking compensation for damages through the courts is not a good idea, at least in individual cases, because the compensation for suffering, for example, would probably be quite small, at maximum a few thousand euros.”

Voutilainen points out that although it is possible individual actions are merged into a single trial, an actual class action lawsuit cannot be raised in data security matters in Finland. Because court decisions can be appealed, it could take years for the case to be resolved.

“If the issue of compensation for damages is decided in the courts, the case can be taken all the way to the Supreme Court. Such a process takes years, and especially when there are several parallel claims processes, they can delay the process mutually,” Voutilainen says.

By contrast, out-of-court settlements cannot be appealed, which is why Voutilainen considers a deal a faster way to settle damages.

“If the parties could reach an agreement about compensation, the process would be over.”
Voutilainen also points out that an out-of-court settlement would avoid at least some of the publicity that a court case would involve. Such publicity could cause even more distress to the victims.

It is known at this time that at least one law firm, working pro bono on behalf of a number of individuals, has drawn up claims for damages to Vastaamo.


What next?

The right of a person to be compensated for damages caused by criminal action is protected by special provisions. This means that the liability for damages is not covered by statutory limitation while the claim is active or being processed in court, or if the plaintiff is appealing a decision in the Appeals Court or Supreme Court. This special rule is based on the idea that trials and related appeal processes can keep a case active even for years.

According to Voutilainen, being awarded compensation based on criminal action is unlikely, although the GDPR offers some possibilities for such if the company in question is soluble.

“Any compensation for damages awarded for criminal action require that we know who the hacker is. Investigation of data hacking is not easy, and the rate of solved cases is not high. There exist major cases of hacking where the offender was never caught.”

According to Muurman, the important thing at this stage of the investigation is to report the crime.

“When you file a criminal complaint, the most important thing is to fill in the form carefully. You should also keep any blackmail messages, other relevant messages or other evidence by, for example, taking a screen shot. They can then be added as supplementary material to the criminal complaint, or they can be delivered to the police at a later date.”

You can find instructions on how to file a crime report at the police website.

Muurman says that it is difficult to predict the time the investigation will take to complete, because there are so many contributing factors that affect the time frame of the investigation and the number of contacts that need to be made.

“Above all we hope that victims do not panic. The police investigation is underway, even though it might not seem so to outsiders. We are not necessarily able to respond to all contacts or enquiries regarding progress in the case of individual victims. Victims should wait for the police to contact them. The police are carrying out a preliminary investigation in preparation for an eventual criminal trial.”

If you need conversational support and practical advice in criminal matters in English please contact Victim Support Finland using the contact form.

Key terms

  • The GDPR specifies two roles that are in charge of processing personal data:
    o Data controller makes decisions regarding the processing of personal data.
    o Data processor is in charge of safekeeping and processing data on behalf of the data controller.

Read more