Laadi alla uus Eesti Raadio äpp, kust leiad kõik ERRi raadiojaamad, suure muusikavaliku ja podcastid.

10,000 people's data stolen in genetic testing company Asper Biogene leak

Computer. Source: Daniel Agrelo / Pixabay

Personal and health data belonging to approximately 10,000 people has been illegally downloaded from the Tartu-based genetic testing company Asper Biogene's database, the State Prosecutor's Office said on Thursday. Those affected are in the process of being notified.

A criminal investigation has been launched by the Southern Prefectural Criminal Bureau which is in the process of collecting evidence. The Data Protection Inspectorate (Andmekaitse Inspektsioon) has also initiated a supervisory procedure against the data processor.

Asper Biogene, which specializes in the diagnostics of hereditary diseases, alerted the Police, the State Information System Agency (Riigi Infosüsteemi Amet), and the Data Protection Inspectorate on November 11.  

The company said it had learned someone had illegally accessed its database and downloaded various files. An investigation was launched by the authorities to clarify the details.

Approximately 100,000 files were copied and downloaded. The database contains 10,000 people's information and those affected will be notified personally by their health care providers.

It is not yet known exactly what was downloaded, but it is known some of the files contained genetic testing results ordered by healthcare providers and individuals from the company.

Kretel Tamm. Source: Ken Mürk/ERR

Forty healthcare companies have been affected, including fertility testing, the Data Protection Inspectorate said.

Asper Biogene is cooperating with the police to clarify the circumstances.

Kretel Tamm, senior prosecutor at the Southern District Prosecutor's Office, said the available evidence suggests the attack was deliberate and well thought out. 

"Although every click leaves a trail in the virtual world, cybercrimes are usually very professional – they are well planned and traces are mixed. Usually, the aim is to make a criminal profit from the crime. In this case, too, a financial claim was made against the company after the attack, and the company turned to the police," Tamm told a press conference on Thursday.

Rain Vosman, head of the Southern Prefectural Crime Bureau, said the criminals acted skillfully. 

Rain Vosman. Source: Ken Mürk/ERR

"The perpetrators have also made a ransom demand and it is worth reiterating that no money should ever be paid in such circumstances. This encourages them to continue but does not guarantee that the data will be returned or that the perpetrator will delete it. Any company or service provider that comes into contact with personal or health data must ensure that the data in their hands is well kept – this means up-to-date and secure information systems," he said.

Vosman said the Police have started gathering evidence to identify and prosecute those responsible.

"We are working on several theories in close cooperation with authorities in Estonia and internationally. In this case, Asper Biogene has done its best to inform the Police and other authorities about the cyberattack. The company has already patched the security hole in its server," the official said.

"The ransom demand was a financial claim threatening to release the information in the hands of the perpetrator and damage the company's reputation. These kinds of demands must not be obeyed," Vosman stressed.

He said that there are several versions of events, but due to the ongoing investigation, the police will not disclose the details.

Pille Lehis. Source: Ken Mürk/ERR

The Data Protection Inspectorate registered Asper Biogene's alert on November 15. 

The agency's Director General Pille Lehis said, considering the number of people affected, this is the biggest data leak recorded so far.

"In addition, 40 healthcare companies have been affected, including fertility testing," Lehis told the reporters at the press conference, adding the case is not related to the Estonian Genome Project.

East Tallinn Central Hospital, the Northern Estonia Medical Center, and Elite Clinic are the most affected.

"The consequences of data leakage could have been mitigated if the data had been encrypted or pseudonymized within the company," said Lehis. 

East-Tallinn Central Hospital (ITKH). Source: Siim Lõvi/ERR

"Unfortunately, what has happened shows that threats in cyberspace are still not taken seriously. Successful external attacks on organizations and the consequences they bring should not be taken as inevitable. It is the responsibility of every data processor to, among other things, ensure data integrity and confidentiality. Behind the data are real people and real lives that can be severely affected in such situations. Data protection is essential and we all have a responsibility to ensure that our data is protected," she said.

Lehis added that during the investigation, healthcare service providers, who are responsible for data processing, and their processes will also be studied. 

She said people affected by the data leak should be very cautious about e-mails referring to their genetic data. 

"We know of a case in Finland where information was leaked from a mental health hospital and these specific individuals were blackmailed," said Lehis.

Criminal proceedings were initiated under the section of the Penal Code on illegal access to a computer system.

Officials from the Police, Prosecutor's Office, and Data Protection Inspectorate held a press conference on December 14, 2023. Source: Ken Mürk/ERR

Tamm said those responsible could be fined or sentenced to up to three years in prison.

The size of the fine depends on the size of the company, the extent of the damage, and its cooperation, Lehis said: "It's too early to name a figure."

People affected will be able to apply for damages if there is material or moral damage.  

Medical institutions have already started notifying patients. For example, PERH said victims can ask which data was stolen.


Follow ERR News on Facebook and Twitter and never miss an update!

Editor: Mari Peegel, Helen Wright

Hea lugeja, näeme et kasutate vanemat brauseri versiooni või vähelevinud brauserit.

Parema ja terviklikuma kasutajakogemuse tagamiseks soovitame alla laadida uusim versioon mõnest meie toetatud brauserist: