The Helsinki tabloid Iltalehti reports that Finnish ministers will be meeting on Wednesday this week to discuss data breaches at the Vastamo psychotherapy centre that have so far led to the filing of criminal reports by thousands of victims.
In a telephone briefing for the media on Sunday evening, Interior Minister Maria Ohisalo (Green) said that the most important issue at the moment is to provide help and support to people targetted by the hackers.
Ohisalo described the attack on the psychotherapy centre, and attempts to extort money from victims as "a very serious, shocking and outrageous act".
She told the media that crisis assistance has been provided over the past few days and she thanked the Finnish Red Cross, the Victim Support Service, Mental Health Finland, and the church for their active involvement.
Ohisalo noted that some patient data has been released on the Tor network and there are now concerns that it may be published on other platforms, as well. She added that key ministries are now reviewing what can be done to help victims and prevent similar situations in the future.
People who think their personal data may have been compromised can contact Victim Support Finland for guidance.
Poorly monitored
Helsinki's other main newsstand tabloid, Ilta-Sanomat reports that in practice, information security at more than 250 social and healthcare organisations in Finland is not monitored at all.
It writes that the National Supervisory Authority for Welfare and Health (Valvira) does not have sufficient resources to oversee cybersecurity. This monitoring work is therefore entirely up to the due diligence of companies and organisations themselves.
Valvira's Chief Engineer Antti Härkönen says that social and health care information systems are monitored on the basis of customer information legislation.
According to Härkönen, information systems are divided into two categories: systems directly connected to the national health database "Kanta" are designated class A, everything else is class B.
The Vastamo psychotherapy centre, which was was hit by hackers is a class B system.
"There are 260 class B systems, and at the moment, I am the only person monitoring them, so the level of any regular, proactive monitoring is of these is very low," Härkönen told Ilta-Sanomat.
He confirmed to the paper that in practice the information systems of these healthcare providers are not monitored unless a problem is reported.
Härkönen explained that when these systems are commissioned, there is a testing process and an external external security assessment.
"In the case of class B [information systems], in practice, the system manufacturer is responsible for the [security] requirements. There are no detailed security regulations as required for class A systems," Härkönen added.
In the Vastaamo case, Valvira's Härkönen said that a full investigation is underway, but it is still too early to provide an answer to how hackers breached the system.
"This will probably also lead to an assessment of the requirements for class B systems in the future, and will certainly lead to a review of how system monitoring should be upgraded."
Covid and privacy
According to the Turku-based daily Turun Sanomat, Finland's Data Protection Ombudsman has received a large number of inquiries about personal privacy issues related to the coronavirus epidemic, especially in working life.
These issues have been mainly questions such as whether or not taking an employee’s temperature or and reporting a coronavirus infection to the authorities is a violation of privacy.
In addition, the Ombudsman's office has received just one complaint about the Koronavilkku infection tracing app, according to Deputy Data Protection Ombudsman Anu Talus.
According to Turun Sanomat, information about infections is considered confidential health information, but exposure, for example, is not.
Talus told the paper that no complaints have been received regarding the direct tracing of infections.
The Office of the Data Protection Ombudsman has provided some guidelines concerning workplace privacy and the coronavirus epidemic.
For example, if an employee of an organisation is diagnosed with a coronavirus infection, the employer may not, in principle, release the name the employee. However, the employer can inform other employees that there has been an infection detected.
The regional administrative agency can order targeted voluntary health inspections, for example at a specific workplace, if the inspection is deemed necessary to prevent the spread of a communicable disease.
In general, employee health information may only be accessed and processed by persons specifically designated to do so. Anyone handling health information is bound by professional confidentiality.