During 2018 and 2019, the psychotherapy clinic Vastaamo experienced a data breach that resulted in the leakage of approximately 30,000 patient records. The data breach was not reported to the Finnish supervisory authority until 2020, which subsequently led to a fine of €608,000. The company had taken inadequate security measures, had not reported the data breach to the supervisory authority, and lacked the necessary documentation. Therefore, the supervisory authority deemed that the company had neglected its obligations under the GDPR (General Data Protection Regulation).
During the period after the data breach occurred (but before it was reported to the supervisory authority), an investor acquired a majority stake in Vastaamo. When the data breach was finally reported, and the severity of the breach became public knowledge, the investor demanded that the acquisition be canceled. The investor argued that the failure to disclose the data breach constituted a lack of disclosure during the due diligence process. The acquisition was subsequently canceled.