[German]Security and data protection incident in Finland involving patient health data. The genetic testing company Asper Biogene announced that unknown persons had accessed its database and the genetic data of around 10,000 people from Estonia who had applied for genetic testing there had been stolen by unauthorized third parties. The incident took place in November 2023, but only became known in mid-December 2023 through a newspaper report.
Advertising
Gene data stolen from Estonians
The incident came to my attention a week before Christmas via the following tweet and this English article.
Asper Biogene, an Estonian company specializing in the diagnosis of hereditary diseases, alerted the police, the State Information Systems Agency (Riigi Infosüsteemi Amet) and the Data Protection Inspectorate on 11 November 2023 regarding a data protection incident. According to the company, there was information that a third party had illegally gained access to the database containing the stored (genetic) personal data of its customers and downloaded various files.
The database contains the data of around 10,000 people, with around 100,000 files having been copied and extracted by the unknown party. Details of exactly what data was stolen are still unknown. What is certain, however, is that some of the files contained genetic test results ordered by healthcare providers and individuals at the company.
Pille Lehis, the director general of the Estonian Data Protection Agency, said that among the 10,000 pieces of health data illegally downloaded from Asper Biogene's database were paternity tests and genetic tests, some of which are easily understandable and directly linked to a specific person. The company performs genetic tests for more than 2,000 hereditary diseases and determines predisposition to diseases with a significant genetic component (e.g. predisposition to hereditary cancer or thrombosis). It also performs tests directly for end users.
Advertising
Lehis added that among the 100,000 pieces of data are analytical results with a person's name, ID and so on. PDF documents, some of which are also very easy to understand, were also stored in the database. "A person can sometimes be 'summarized' with just their health data," she said.
The Criminal Investigation Department of the Southern Prefecture has launched a criminal investigation and is in the process of gathering evidence. The Data Protection Inspectorate (Andmekaitse Inspektsioon) has also initiated supervisory proceedings against the company. However, the whole thing remained under wraps until the public prosecutor's office in the district concerned issued a notice. Those affected will now be notified personally by their healthcare providers.
Pille Lehis, states that more than forty healthcare companies are affected by the incident. These include companies that offer fertility tests.
The notification dates from mid-December 2023. Pille Lehis criticized the fact that the data protection incident was noticed in November 2023, but the public was not informed until mid-December 2023. "Unfortunately, the incident shows that threats in cyberspace are still not being taken seriously," Pille Lehis is quoted as saying. This is because the data was not encrypted or stored pseudonymously within the company. The authorities warn that the data could be misused.
One blackmail attempt known
According to the Estonian medium, an extortion attempt has already been reported. The police confirmed to the medium ERR that they had received a report of an extortion attempt involving Asper Biogene's data.
"The police are investigating a case in which a person was called and told that their data had been passed on. In this context, we also issued a public notice last week asking people to pay attention to the content of emails they receive. Under no circumstances should they click on a link or do anything unless they are absolutely sure that the sender is a genuine healthcare provider," Jaanus Juhanson, head of the Southern Prefecture's Cyber and Economic Crime Unit, is quoted as saying.
Hardi Tamm, CEO of Asper Biogene, told ERR that Asper Biogene has not been contacted by the perpetrators and has not received any new ransom demands or other threats.
