An ongoing investigation of the massive data breach of privately-operated mental health care provider Vastaamo has led investigators to suspects in Europe as well as the firm's own employees, according to the National Bureau of Investigation (NBI).

News of the data breach at the psychotherapy firm Vastaamo first surfaced in October 2020, when the company announced that sensitive patient data was leaked after a hack of its database.

The stolen files were used in extortion attempts against the firm. Investigators also later learned that some patients had also been blackmailed with the sensitive data.

The company was found to have initially downplayed estimates of the extent of the breach, which ended up affecting around 33,000 clients.

On Wednesday, the NBI said it was unable to comment on how many people are suspected in the case.

"Time will tell whether the perpetrators are Finnish, from abroad or both," lead investigator Marko Leponen told news service STT.

To date, around 22,000 of the affected clients have filed reports with police, with roughly 6,000 of those also submitting oral statements.

Some victims blackmailed

Police have continued to urge victims to provide further statements.

The ongoing investigation has uncovered hundreds of crimes in which the breached patient data was misused, including suspected cases of identity theft.

Police said that between 10-15 criminal reports of data breach victims paying ransom to extortionists.

Authorities also suspect some Vastaamo employees of violating privacy protection laws.

Police surmise the hacking of the firm's database was enabled by some workers' aggravated negligence or intent.

Investigators expect that suspicions surrounding the employees' role in the case will be handed over to prosecutors for consideration in October.

Currently, fewer than five individuals are suspected of data security crimes, according to police

The company has reported that the data breaches took place in November 2018 and March 2019, and announced it was targeted with extortion in October 2020.

The NBI's Leponen said that it is possible that the breach and extortion efforts were perpetrated by different individuals, due to the extended period of time between the crimes.