-
A Finnish court sentenced hacker Aleksanteri Kivimäki to over six years in prison for stealing and leaking the therapy notes of 33,000 patients.
-
The private psychotherapy provider Vastaamo’s database was left exposed online without basic password protection or a firewall.
-
The breach led to patient extortion attempts, at least two suicides, and has prompted a major overhaul of Finland’s health data security laws.
In one of the biggest ever cyber scandals in Finland, the court just sentenced a hacker to prison for leaking thousands of people’s deepest therapy secrets.
The breach shattered lives and broke public trust and exposed really shocking security failures at a major provider of healthcare.
The Attack That Shook a Nation
In 2020, an individual using the online name “ransom man” penetrated through Vastaamo’s systems, which is the largest private psychotherapeutic facility in Finland and began demanding an incredible amount of money else he would leak the data.
Once Vastaamo made it clear that they would not be paying for this ransom note request, the hacker resorted to threatening the psychotherapy patients directly through email using ransom amounts which were significantly lower than the original amount he was attempting to extort from Vastaamo.
The hacker threatened each patient with the publishing of their private psychotherapy records on the internet unless they would pay the hacker for the records. The hacker fulfilled his threat by leaking over 28,000 patients’ data in batches over the “dark web”.
Eventually, the entire database of Vastaamo, which included full names, addresses, identification numbers, and sensitive therapeutic records, was made public and the total number of affected patients is almost 33,000, each of whom has had their most intimate thoughts disclosed to the rest of the world.
A “Hacker God” Brought to Justice
Aleksanteri Kivimäki, the man behind the data breach, made quite a name for himself in the world of cybercrime. He tagged himself as ‘The Untouchable Hacker God’ online. In February 2023, the police arrested Kivimäki in Paris. He’d been living there with a fake identity. Authorities from Finland extradited him to face a long list of charges.
In court, prosecutors laid out just how far his crimes went. Kivimäki broke people’s privacy almost 10,000 times and tried to extort over 20,000 victims. This week, the judge didn’t hold back. Kivimäki was found guilty on every single charge — serious privacy violations, extortion, cybercrimes, all of it.
Now, he’s looking at one of the toughest cybercrime sentences ever handed down in Finland: six years and three months behind bars.
Unforgivable Security Failures
One would ask: how come the hacker was able to pull off a breach of such magnitude? Well, according to investigations conducted by the government, the security failures were almost unbelievable.
Vastaamo’s patient database was left with little to no firewall protecting it, not password protection whatsoever. Cybersecurity experts called the lapse “unacceptable.” This was especially true for a company that’s handling so many sensitive health records. The event’s aftermath hit Vastaamo hard and fast.
The scandal hit hard, and Vastaamo never really recovered. It wasn’t long before they declared bankruptcy in 2021. It still didn’t end there, they witnessed a flood of lawsuits from patients saying the company failed to protect their privacy and left them dealing with all kinds of emotional fallout.
The Human Cost of Data Theft
But the problem was not just about the data that was stolen; it was more about the peace of mind of many that was snatched from them. The breach affected thousands of families, some patients say it’s a violation of personal lives. Both their private discussions about depression, trauma, abuse were published online for all to see, causing them serious harm psychologically.
Finnish authorities confirmed a heartbreaking consequence — at least two victims died by suicide after finding out their data was leaked. There were also many others that attempted to take their own lives.
This case shows data breaches are not victimless crimes. They can inflict deep, lasting psychological wounds, and the breach crossed a line no one should cross.
A Wake Up Call for Everyone
Now, Finland is looking for ways to undo the damage. The government has proposed a compensation plan for victims. Payouts could range significantly per person. However, civil rights groups say it’s not enough. They argue that money can’t fix the mental and social damage.
The government is also changing the rules, with plans to tighten cybersecurity regulations for all digital healthcare providers. New health data protection standards are coming in too.
The Vastaamo breach is sounding a global warning criminals target digital health data a lot because it’s very valuable. Governments and companies everywhere should cautiously observe their very own security and update privacy policies—anything that could prevent such unfortunate events from happening again. Patients everywhere should feel secure.
