TALLINN, Estonia (AP) — The government of Finland said Thursday it was preparing legislation that would allow citizens to change their personal identity codes in cases of gross data breaches that carry a high risk of identity theft.
The government’s fast-tracked proposal was designed primarily to assist thousands of people whose personal information was stolen during a hacking of patient records at a private Finnish psychotherapy center.
All Finns receive a personal identity code at birth to allow them to access most public and many private services. Under Finland’s current law, the criteria for changing one's code are strict and, according to the government, cannot be applied in advance to prevent criminal or other significant harmful activity.
The legislation being drafted would make the process slightly easier.
“The work will start immediately, and the laws will be completed by the beginning of next year,” said Minister of Local Government Sirpa Paatero who is in charge of the Finnish government’s electronic services.
Finland also wants to develop a webpage that enables citizens to report a suspected theft of their personal data and to block unauthorized use of the information.
Finnish police estimate that up to 40,000 clients of the Vastaamo psychotherapy clinic may have had their data compromised in two likely breaches of its information systems in 2018 and 2019. The clinic has several branches throughout Finland and operates as a sub-contractor for the Nordic country's public health system,
The hacking episodes were revealed last month. The still unknown perpetrator or perpetrators published at least 300 patient records containing names, personal identity codes and contact information on the anonymous “dark web” Tor network.
Soon after, dozens of Vastaamo clients received ransom demands to pay money in exchange for keeping their information private. Also the psychotherapy center reportedly received a demand for 450,000 euros ($531,000) in Bitcoin.
The case has stunned people in Finland, a nation of 5.5 million, and cybersecurity experts have described such gross misuse of patient records as exceptional even on an international level.
The National Bureau of Investigation said at the end of October that it had so far received some 15,000 complaints that victims of the clinic data breaches filed with police.