The Supreme Court has ruled that police cannot use patients' personal information as part of an investigation into a data breach at the psychotherapy centre Vastaamo.
The private mental health services company's database was hacked on at least two separate occasions between November 2018 and March 2019, and the hackers subsequently attempted to blackmail both the company and their clients.
Evidence seized by the police during the course of the preliminary investigation contains sensitive patient information, which the Supreme Court has decided cannot be investigated or used in the preliminary probe of a suspected crime.
Helsinki District Court had previously taken the same position on the use of the data.
Police had accessed the names and contact details of Vastaamo clients during the early stages of the investigation. However, an objection to the seizing of this data was made and the matter was brought to court.
In its ruling, the Supreme Court said that the names and contact details are not sensitive information in themselves, but when combined with the knowledge that they are from the database of a mental health services company, they become sensitive and are therefore subject to a ban on seizure and use in an investigation.
The court's ruling is based on the underlying principle that people in need of mental health services should be able to receive the care they need without fear of that relationship being revealed.
Information about the use of mental health services is linked to the protection of individual privacy, the Supreme Court added.
More than 25,000 criminal reports have so far been filed in connection with the blackmailing of victims of the database hacking, although police estimate that there are still several thousand more potential victims, or an estimated total of around 32,000.
The investigation by the National Bureau of Investigation (NBI) is ongoing, with the NBI due to begin hearing from the victims of the hack during the coming months.