In October 2020, approximately 33,000 patients of the Finnish psychotherapy provider Vastaamo were subjected to an extortion scheme following a data breach that exposed their sensitive therapy notes. The stolen data was subsequently published online. After an extensive investigation, Aleksanteri Kivimäki was identified, arrested, and in April 2024, sentenced to six years and three months in prison for his role in the hacking and attempted extortion.
The Data Breach and Extortion Scheme
In September 2020, a ransom demand was made to Vastaamo's CEO, Ville Tapio, requesting €450,000 for the patient registry. Sample records were provided to confirm the compromise. Three days prior to mass extortion emails being sent to patients, an individual operating under the handle "ransom_man" began publishing patient records on the dark web and Finnish online forums.
In October 2020, thousands of Vastaamo patients received emails demanding Bitcoin to prevent the publication of their private therapy notes. Demands to individual patients included €200 in Bitcoin within 24 hours, increasing to €500 after 48 hours. The complete Vastaamo patient database, containing all patient therapy notes, was subsequently published online. The leaked information included sensitive details, names of public figures, and records of children.
Vastaamo's Security Lapses and Company Fate
An investigation by cybersecurity specialist Antti Kurittu, commissioned by Vastaamo, identified security vulnerabilities within the company's systems. The patient records database was accessible via the internet, lacked a firewall, and was protected by a blank password. Kurittu concluded that the database was likely discovered through opportunistic scanning.
Vastaamo was aware of the data compromise weeks before notifying patients and did not pay the ransom. The company was declared bankrupt in February 2021. Ville Tapio, Vastaamo's former CEO, was initially convicted of criminal negligence concerning patient data handling, a conviction that was later overturned on appeal.
Investigation and Identification of Aleksanteri Kivimäki
The Finnish police launched an extensive investigation into the data breach, which included processing over 21,000 criminal reports. Technical evidence, including the accidental upload of a home folder with distinct file naming conventions and specific search queries within the patient database, led investigators to Aleksanteri Kivimäki. Further investigation traced a micropayment made to "ransom_man" to Kivimäki's bank account, and server payments to a credit card linked to him. Evidence also indicated he was located in London when the crimes occurred.
Kivimäki, also known by the aliases Julius Kivimäki and "zeekill," has a history of involvement in cybercrime incidents and cyber harassment dating back to his teenage years, including "swatting" incidents and involvement in the Lizard Squad attacks. An arrest warrant for Kivimäki was issued in October 2022.
Arrest, Trial, and Conviction
Aleksanteri Kivimäki was apprehended in Paris in February 2023, where he was using an alias, and subsequently extradited to Finland. During his trial, over 21,000 former Vastaamo patients registered as plaintiffs.
In April 2024, Kivimäki was found guilty of 9,600 counts of aggravated invasion of privacy and over 21,300 counts of attempted aggravated extortion. He was sentenced to six years and three months in prison. Kivimäki has appealed the sentence and continues to maintain his innocence, stating that the actions were carried out by someone close to him. During an interview, Kivimäki stated he perceived the victims as "nameless, faceless people."
Ongoing Impact and Further Developments
The data breach affected approximately 33,000 Vastaamo patients. Reports from lawyers representing victims documented at least two instances of individuals taking their own lives after discovering their therapy notes had been exposed. Victims are pursuing civil lawsuits against Kivimäki for damages; he claims to possess no assets. The Finnish government has approved compensation for victims of the breach.
Copies of the patient files continue to circulate online, and a dedicated search engine for the database was at one point available. A second suspect, a US citizen residing in Estonia, has been charged with aiding and abetting the attempted extortion in connection with the case. The incident underscores challenges related to digital privacy and the security of sensitive personal data.