[smcin]

...because given how nonexistent Vastaamo's security was, it was only a matter of time that they would ultimately have gotten compromised or ransomwared, if not by Kivimäki then by someone else. So whether Kivimäki ever existed or not, doesn't change the inevitable outcome. And Vastaamo's CEO went to jail for GDPR violations. There's also the unexplained mystery of why Keskinen (the DPO) and Lind had no sysadmin password and no firewalls, even after they had been criminally investigated for a previous incident. Also, the Finnish DPA wasn't exactly proactive about checks, either.

(To be clear, Kivimäki was a scumbag.)

So, there's lots of responsibility to go around.