Comment by bigiain
17 hours ago
"the patient records database was accessible via the internet; there was no firewall and, perhaps most egregiously, it was secured with a blank password, so anyone could just press enter and open it"
There _should_ be a bunch of people in jail for that. Including, but not limited to the CEO. It should also include all the people on the org chart between whoever set that database up and the CEO.
Indeed, the CEO was held criminally liable, but the charges were dropped in a higher court just recently. From the article:
"In April 2023, Tapio was found guilty of criminal negligence in his handling of patient data. His conviction was overturned on appeal in December 2025. (He declined my requests to interview him.)"
More specifically, he was charged of a data protection crime (i.e., note that in Finland these GDPR-like things are also in the criminal law). However, based on local news, I suppose there was not enough evidence that it was specifically a responsibility of a CEO or that CEO-level gross negligence occurred.
According to this report [1] the appeal was about specific requirements like encryption, and he claimed he had delegated it. So it is clear that it is hard to actually hold people responsible.
> The appellate court rejected the prosecution's argument and dismissed all charges. In its unanimous decision, the court stated that neither the GDPR nor the applicable Finnish healthcare legislation required encryption or pseudonymisation of patient data at the time in question.
> Prosecutors alleged that Tapio knew about the March 2019 breach and failed to act. They claimed he neglected legal obligations to report and document the incident and did not take sufficient steps to protect the database. Tapio denied the claims, saying he was unaware of the breach until autumn 2020 and had delegated technical oversight to external IT professionals.
> The court found there was no clear legal requirement at the time obliging Tapio, as CEO, to take the specific security measures cited by the prosecution. These included firewall management, password policies, access controls, VPN implementation, and security updates.
> According to the ruling, the failure to adopt such measures did not, in the court’s view, constitute criminal negligence under Finnish law.
> Tapio’s conduct during and after the 2019 breach did not meet the threshold for criminal liability, the court concluded.
[1] https://www.helsinkitimes.fi/finland/finland-news/domestic/2...
No, it’s just that it’s crazy to hold the CEO liable for absolutely everything that can go wrong.
16 replies →
Funny whenever people complain about the GDPR here they're thinking they would be slapped with a €20Mi fine and that EU team 6 is going to parachute in their office and arrest everyone
So they're saying this is not the case?
Well, not for public bodies at least: “ Administrative fines cannot be imposed on public organisations, such as the government or state-owned companies, municipalities and parishes” [1]
But luckily this sort of thing never happens in the public sector. Except for when it does: https://yle.fi/a/74-20094950
[1] https://tietosuoja.fi/en/corrective-powers
2 replies →
The law is written such that they could do all that to a small family business that forgot to delete their Apache logs, which isn't good and leaves room for abuse even if they pinkie swear it's only meant for big violations.
2 replies →
> So they're saying this is not the case?
Yes it was. The company was fined 20M EUR on standard GDPR-basis and went bankrupt (but unlikely due to the fine alone). Please re-read the above discussion.
2 replies →
Exactly, was it a burglary when your front door is open, lights on, spotlights on your wall safe, with the keys still inserted?
The CEO should be in prison.
> The CEO should be in prison.
Yes.
> Exactly, was it a burglary when your front door is open, lights on, spotlights on your wall safe, with the keys still inserted?
The thing isn't just the discovery of the "open door", though. Thousands of people were extorted in a pretty heinous way. Even if we say breaking in took little sophistication or effort, what was done with the data also matters.
>Exactly, was it a burglary when your front door is open
Legally speaking, yes in every place I've ever lived if all those things are the case it's still a burglary, although the cops may call the victim an idiot.
In the UK, there is no crime "burglary".
"Breaking and entering" it's a criminal offence, and walking through an unlocked front door back door doesn't count. If you are on someone's land but didn't have to break in then that's trespass, which is just a civil offense.
Theft is a crime in any case (indeed even if you're not on their land e.g. snatching a phone off the street).
7 replies →
Yes. Similarly, If I leave my car unlocked with the keys in the ignition, and someone takes it is still a crime. It might be unwise to do that (depending on where you are), but nonetheless it is still crime.
Technically, yes it is still burglary.
It's an odd position to take, that a crime was not committed or the offense isn't as bad if the difficulties of committing the crime have been removed or reduced.
> odd position [...] offense isn't as bad if the difficulties of committing the crime have been removed or reduced
Not really, intent is a part of the crime. If the barrier for crime is extremely small, the crime itself is less egregious.
Planning a robbery is not the same as picking up a wallet on the sidewalk. This is a feature, not a bug.
2 replies →
Now, how do we apply that to today’s current events?
Is it still a crime if the roadblocks to commit the crime are removed? Even applauded by some? What happens when the chief of police is telling you to go out and commit said crimes?
Law and order is dictated by the ruling party. What was a crime yesterday may not be a crime today.
So if all you did was turn a key and now you’re a burglar going to prison, when the CEO of the house spent months setting up the perfect crime scene, shouldn’t the CEO at least get an accomplice charge? Insurance fraud starts the same way…
It's a common attitude with people from low-trust societies. "I'm not a scammer - I'm clever. If you don't want us to scam your system why do you make it so easy?"
6 replies →
Someone presented a hypothetical scenario: What if a hacker would write a virus, which breached a totally unprotected database after the hacker has passed away. It's clear that the therapy provider is at least partially responsible.
Posthumous crime is the ultimate because the legal system is all about punishing the living until they are dead.
2 replies →
Is it still assault if the guy is just standing there, within punching distance, without even wearing a helmet?
Does he have a flag?
Yes it absolutely is still a burglary. Classic victim blaming.
Who’s the victim? The CEO? I think the patients are the victims here.
2 replies →
Yup, I heard of an ERP full of microservices and many endpoints dont check authorization at all and the auth mechanism doesnt check valid user credentials. Seems like they are very common.
Still reading the story but just hit that line and came here to snarkily post, “another MongoDB success story”. I should probably talk to my therapist about this desire to be seen as funny.
Having now read it, the CEO did get convicted.