Cyber attack on medical supply transport company: Clients in Helsinki also affected

Westlog Oy, a company responsible for transporting incontinence products, has been targeted by a cyber attack. As a result, the personal data of clients of the Helsinki Social Services, Health Care and Rescue Services Division’s medical supply distribution may have leaked to a third party. This personal data leak concerns more than 9,000 of our clients.
Mies ja nainen tutkivat yhdessä tablettitietokonetta.
Photo: Mikko Hakola

According to the latest available information, the data leak concerns medical supply distribution clients who have used the home delivery service for TENA products in the last two years.

Due to the personal data breach, the following client data may have leaked to a third party:

  • client’s name
  • telephone number
  • email address
  • postal address
  • information on orders placed
  • possibly the client’s personal identity code and/or door code if this information was recorded in the system.

We will send a letter to the home address of every person affected by the personal data breach. However, we recommend clients who have ordered TENA products to be delivered to their home to already read through the instructions for victims of data leaks that are published on the National Cyber Security Centre website(Link leads to external service).

Measures have been taken to increase information security 

Westlog Oy is a transport service used as a subcontractor by Essity Oy, a contractual supplier of incontinence products for the City of Helsinki’s Social Services, Health Care and Rescue Services Division.

On 24 August 2023, Westlog, which is responsible for maintaining the home delivery system for TENA products, noticed some ransomware on their server. After an investigation was conducted, it was confirmed on 4 September 2023 that the confidentiality of clients’ personal data had been lost. The City of Helsinki was informed about this on 18 September 2023 and immediately set out to investigate the incident in cooperation with the other organisations concerned. The City of Helsinki has submitted a notification to the Data Protection Ombudsman regarding the matter.

Westlog has submitted a notification about the data system break-in to the National Cyber Security Centre and the Office of the Data Protection Ombudsman and filed a report with the police. Westlog’s own investigation and detailed assessment of the stolen personal data is still ongoing. For example, the full scope of the breach and its potential consequences are yet unknown.