The troubled psychotherapy centre Vastaamo sent at least some of its customers invoices that included their government-issued personal ID numbers in unsecured emails.
The private mental health services firm has been at the centre of a hacking and blackmail scandal for the past week after it emerged that highly sensitive information on thousands of patients had been stolen from its database.
Yle has seen two invoices from the therapy firm in which clients' personal identity numbers were listed in the business ID number field. One of the invoices was sent to a client and the other was an individual who had booked time at the centre for someone else.
According to Data Protection Ombudsman Reijo Aarnio, companies may not include personal ID numbers on invoices. It remained unknown on Wednesday whether the firm has stopped the practice, nor how many clients' ID numbers had been sent in invoices.
No further comment
Vastaamo's interim CEO and board chair, Tuomas Kahri, told Yle by email that the firm had no comment on the matter.
Kahri was named CEO after the board fired the company's previous CEO, Ville Tapio upon learning that he was apparently aware of a second data breach and other shortcomings in the psychotherapy provider’s data security.
"In recent days we have told you everything that needs to be said at this stage," Kahri said by email on Wednesday.
Windows and data security expert, Sami Laiho, said that an invoice he received from the firm also included his personal ID number.
"Sending an ID number by email completely unprotected is against all the rules," he said.
Many potential victims
Vastaamo's hack could potentially affect tens of thousands of its clients.
The firm has treated some 40,000 patients and has also acted as a subcontractor to several major public-sector hospital districts. Some of the hacked files – including personal material like diaries, diagnoses and contact information – have been published on the dark web.
Following receipt of a complaint regarding a health care firm's inclusion of personal ID codes on invoices, the Data Protection Ombudsman ordered the company to stop the practice in June.
The company said the reason for including ID numbers on bills was for identification purposes.
However, according to the Data Protection Ombudsman, the practice is not in line with the law.
Government discusses Vastaamo hack
Meanwhile, members of Prime Minister Sanna Marin's (SDP) government met on Wednesday to discuss the Vastaamo hack as well as possible measures that could be taken to assist the victims.
Upon arrival at the House of the Estates on Wednesday afternoon, Marin told reporters that she found the incident to be very shocking and that it affected many people in Finland.
"The victims need support and help, and we're discussing ways that we could best help. One matter under discussion is issuing new ID numbers for the victims," Marin said.
Story continues after photo.
The government was scheduled on Wednesday afternoon to learn more about the situation in talks with individuals from the National Supervisory Authority for Welfare and Health (Valvira) as well as the National Board of Investigation (NBI), among others.
The Minister of Science and Culture, Annika Saarikko, (Cen) suggested that the Vastaamo hacking incident should be investigated by the Safety Investigation Authority, due to the sensitive nature of the data breach.
No concrete decisions are to be made during Wednesday's meeting, but according to PM Marin, government members will negotiate ways to improve the data security of citizens.
The government could decide, for example, to order authorities to begin monitoring the practices of private health care firms.