When the data theft case came to light, police warned that the situation could be exploited by rogue traders and that people should be especially vigilant if someone tries to steal their health information.

Police told ERR that they have received one report of attempted extortion using the Asper Biogene data.

"The police are investigating one case where a person was called and told that their information had been leaked. In this regard, we also proactively issued a public notice last week to encourage people to be aware of the content of emails sent to them. Under no circumstances should you click on any link or take any action unless you are absolutely certain that the sender is a genuine healthcare provider," Jaanus Juhanson, head of the cyber and economic crimes unit of the southern prefecture, said.

"If people want to ask further questions about their data being compromised, they must do so with a digitally signed statement or other means of identification so that the healthcare provider can verify that the person asking for the data is who they say they are," he said.

Hardi Tamm, CEO of Asper Biogene, told ERR that Asper Biogene has not been contacted by the perpetrators and has not received any new ransom demands or other threats.

Juhanson said the criminal investigation is currently in the evidence-gathering phase and no charges have been filed.

"This investigation also requires international cooperation in the gathering of evidence, so it will take time to establish the facts," he said.

The case will be prosecuted under the Penal Code section on illegal access to a computer system. Kretel Tamm, chief prosecutor at the southern district prosecutor's office, said the perpetrator could face a fine or up to three years in prison.

In order to clarify the circumstances of the Asper Biogenerics data leak, the police have opened a criminal case and the Data Protection Inspectorate has opened a supervisory case.

Data Protection Inspectorate proceedings still ongoing

Tamm said that some of the data had been downloaded, but it was not possible to say whether it was all the data collected since 2009.

Asked whether it was the (health) data of individuals that was downloaded, or rather the reports on that data, Tamm said it was more likely the reports.

Our data is predominantly analysis-specific. For clarity, it is useful to divide the overall activity into two strands, medical genetics and direct-to-consumer genetic testing.

"In the former, the analysis is personalized, i.e., there is a name and a personal identification number; in the latter, there is not. Direct-to-consumer genetic testing does not verify identity or trace samples back to the service provider, so the results are not legally linked to specific individuals and their identities. For example, in the case of a take-home test, no one has verified that the name of the person who ordered the test is the same as the name of the person who actually took the test," Tamm said.

Pille Lehis, thedirector general of the Estonian data protection agency, said that among the 10,000 people's health data illegally downloaded from the Asper Biogene database are paternity and genetic disease tests, some of which are easily understandable and directly linked to a specific individual.

Lehis added that among the 100,000 data items, there are analytical responses with a person's name, ID and so on, PDF documents, some of which are also very easy to understand. "A person can be 'summarized' with their health data only, sometimes" she said.

Tamm said that misleading information was also published in the media last week that Asper Biogene also performs fertility tests. In fact, the company performs genetic testing for more than 2,000 hereditary diseases and determines predisposition to diseases with a significant genetic component (for example, predisposition to hereditary cancer or thrombosis). It also conducts direct-to-consumer testing.

Last week, it was revealed that files containing health information were illegally downloaded from the database of genetic testing company Asper Biogene. About 10,000 people's personal and health information was downloaded from the database.

--

Follow ERR News on Facebook and Twitter and never miss an update!