Helsinki District Court handed Vastaamo's former CEO Ville Tapio a three-month suspended prison sentence in April last year on a data protection charge because he did not fulfil General Data Protection Regulation (GDPR) requirements. This verdict was appealed by both Tapio and the prosecutor, and the appeal hearing will begin in May 2025.
Apparently iirc the company had no security at all. Kivimäki didn't 'hack'; the username & password was some default setup. Not to take away from his assholery, but the responsibility for this horrific case doesn't seem to apply in a justified manner.
Ville Tapio, the former CEO of Vastaamo, was fired and also prosecuted following the breach. Ransom_man bragged about Vastaamo’s sloppy security, noting the company had used the laughably weak username and password “root/root” to protect sensitive patient records.
Investigators later found Vastaamo had originally been hacked in 2018 and again in 2019. In April 2023, a Finnish court handed down a three-month sentence for Tapio, but that sentence was suspended because he had no previous criminal record.
Tapio should get a prison sentence as well instead of a few months of house arrest / electronic surveillance. Absolutely criminally complicit