When data breach hits a psychotherapy clinic: The Vastaamo case

This teaching case demonstrates the crucial role of information security and data protection in the digital era. To this end, we first discuss the importance of data protection and information security as essential business capabilities for modern organisations. We argue that approaching information security from a business model perspective, instead of a purely technical perspective, enables companies to better understand the value of data protection for ensuring business continuity and long-lasting business relationships with customers and partners. To support this viewpoint, we draw on the biggest data breach in the history of Finland that affected over 33,000 patients of Vastaamo Psychotherapy Centre. While the breach led to Vastaamo’s bankruptcy and financial and legal consequences for several stakeholders, the significance of the breach lies in its societal impact. The breadth and cruelty of the breach caused outrage across the country and led to raising consumer and industry awareness of cybersecurity. As such, this teaching case enables the audience to better understand the consequences of information security incidents on firms and their stakeholders.