"the patient records database was accessible via the internet; there was no firewall and, perhaps most egregiously, it was secured with a blank password, so anyone could just press enter and open it"
There _should_ be a bunch of people in jail for that. Including, but not limited to the CEO. It should also include all the people on the org chart between whoever set that database up and the CEO.
Indeed, the CEO was held criminally liable, but the charges were dropped in a higher court just recently. From the article:
"In April 2023, Tapio was found guilty of criminal negligence in his handling of patient data. His conviction was overturned on appeal in December 2025. (He declined my requests to interview him.)"
More specifically, he was charged of a data protection crime (i.e., note that in Finland these GDPR-like things are also in the criminal law). However, based on local news, I suppose there was not enough evidence that it was specifically a responsibility of a CEO or that CEO-level gross negligence occurred.
I'm a broken record about this by now, but stories like these keep reminding me how broken the law is for ethical hackers in Germany. If an ethical hacker found something like this in Germany, it would from my knowledge not be clear if entering an empty password counts as "circumventing or breaking a security barrier". "No password barrier" has recently been clarified in courts, but "Static Password" hasn't.
And once you break a security barrier, you're breaking the law. Even GDPR doesn't help you there - that just ensures more people are breaking different laws. And this can get all your devices seized, land you in jail, end your career, cause thousands of Euros of equipment loss, because the new laptop naturally got lost in the return process after 6 - 12 months.
And thus, many people with the skill to find such problems and report them silently to get them closed do ... nothing. Until bad people find these holes and what the article describes happens. And Europe has hacker groups who could turn our cybersecurity upside down in a good way. Very frustrating topic.
> "Unfortunately, we have to ask you to pay to keep your personal information safe.”
I can't put my finger on why, but the faux "aw shucks, our hands are tied" makes me even more pissed off by the fact that they're leaking people's therapy notes. Just come out and say you're an amoral money seeker.
He’s done less than seven years of time, shows no remorse and even denies doing it in the first place. You dropped the ball on this Finland, don’t be surprised when he does it again. What a disgusting human being.
Can we talk about the cookie banner on this website?
"Rejection hurts …
You’ve chosen to reject third-party cookies while browsing our site. Not being able to use third party cookies means we make less from selling adverts to fund our journalism."
They're literally saying "we're sad that you don't allow us to spy on you for money" and trying to guilt-trip you on that
Ethically speaking it seems like you should not be accessing commercial news sites if you're not willing to pay in some way for the work of the people writing the articles.
"Jazz police are looking through my folders. Jazz police are talking to my niece. Jazz police have got their final orders. Jazzer, drop your axe, it's jazz police!"
"the patient records database was accessible via the internet; there was no firewall and, perhaps most egregiously, it was secured with a blank password, so anyone could just press enter and open it"
There _should_ be a bunch of people in jail for that. Including, but not limited to the CEO. It should also include all the people on the org chart between whoever set that database up and the CEO.
Indeed, the CEO was held criminally liable, but the charges were dropped in a higher court just recently. From the article:
"In April 2023, Tapio was found guilty of criminal negligence in his handling of patient data. His conviction was overturned on appeal in December 2025. (He declined my requests to interview him.)"
More specifically, he was charged of a data protection crime (i.e., note that in Finland these GDPR-like things are also in the criminal law). However, based on local news, I suppose there was not enough evidence that it was specifically a responsibility of a CEO or that CEO-level gross negligence occurred.
There's a nice episode from darknetdiaries about it https://darknetdiaries.com/episode/159/
Do we really only catch the laziest hackers? The opsec is shocking.
Yes
I'm a broken record about this by now, but stories like these keep reminding me how broken the law is for ethical hackers in Germany. If an ethical hacker found something like this in Germany, it would from my knowledge not be clear if entering an empty password counts as "circumventing or breaking a security barrier". "No password barrier" has recently been clarified in courts, but "Static Password" hasn't.
And once you break a security barrier, you're breaking the law. Even GDPR doesn't help you there - that just ensures more people are breaking different laws. And this can get all your devices seized, land you in jail, end your career, cause thousands of Euros of equipment loss, because the new laptop naturally got lost in the return process after 6 - 12 months.
And thus, many people with the skill to find such problems and report them silently to get them closed do ... nothing. Until bad people find these holes and what the article describes happens. And Europe has hacker groups who could turn our cybersecurity upside down in a good way. Very frustrating topic.
> "Unfortunately, we have to ask you to pay to keep your personal information safe.”
I can't put my finger on why, but the faux "aw shucks, our hands are tied" makes me even more pissed off by the fact that they're leaking people's therapy notes. Just come out and say you're an amoral money seeker.
https://archive.is/7uCnb
The Guardian doesn’t have a paywall
It does. I pay with money (eg I'm forced to pay for a subscription) or ads (I'm forced to pay with resources)
He’s done less than seven years of time, shows no remorse and even denies doing it in the first place. You dropped the ball on this Finland, don’t be surprised when he does it again. What a disgusting human being.
Can we talk about the cookie banner on this website?
"Rejection hurts …
You’ve chosen to reject third-party cookies while browsing our site. Not being able to use third party cookies means we make less from selling adverts to fund our journalism."
They're literally saying "we're sad that you don't allow us to spy on you for money" and trying to guilt-trip you on that
Ethically speaking it seems like you should not be accessing commercial news sites if you're not willing to pay in some way for the work of the people writing the articles.
What do you propose they do?
> he had not only accidentally uploaded all of the therapy notes, but also his entire home folder
Lol. At least it's a good reminder about bad opsec.
"Jazz police are looking through my folders. Jazz police are talking to my niece. Jazz police have got their final orders. Jazzer, drop your axe, it's jazz police!"