Data Breaches

Finland Issues Wanted Notice for Vastaamo Hacker as Conviction Becomes Final

Finland has issued an international wanted notice for Aleksanteri Kivimäki, the man convicted of breaching Vastaamo, a Finnish psychotherapy provider, and exposing the confidential therapy notes of roughly 33,000 patients. Kivimäki’s conviction is now final. He is believed to be outside Finland and authorities have not confirmed his location.

The breach itself dates to late 2018 and continued into early 2019. Kivimäki did not simply steal administrative records. He extracted session notes, the kind of material patients share in confidence with a therapist and expect never to leave the room. He then attempted to extort Vastaamo directly demanding a ransom of 450,000 euros. When the company did not pay, he turned to the patients themselves, contacting thousands individually and threatening to publish their records unless they paid.

Marko Lepponen, the detective who led the investigation, said at the time, “I couldn’t even imagine the scale of it. This isn’t a normal case.” He was right. The Vastaamo breach sits in a different category from most data incidents. The exposed data was not financial records or email addresses in the abstract. It was accounts of trauma, abuse and mental illness shared in a clinical setting.

Thirty Thousand Patients. One Breach. Years of Exposure.

Have I Been Pwned records 30,000 unique email addresses in the Vastaamo dataset. The total patient count affected by the therapy note exposure is approximately 33,000, according to reporting by The Record from Recorded Future News. Vastaamo operated 25 centres across Finland and was, at the time, one of the country’s largest private psychotherapy providers.

The ransom demand to Vastaamo came first, in autumn 2020. When that failed, Kivimäki began contacting patients directly through a Tor-based site demanding small individual payments, typically around 200 euros, to keep their records private. Some patients received emails containing excerpts from their own session notes as proof the attacker held the data.

The BBC documented several patient accounts in detail. The common thread was not just the breach itself but the years of uncertainty that followed not knowing whether records had been published, whether employers had seen them, whether anyone in their personal lives had found the leaked files. That sustained exposure is the actual harm and no patch closes it.

A Conviction That Took Years and Still Has No Conclusion

Kivimäki was charged with nearly 30,000 counts related to the breach, according to The Record’s earlier reporting on the case. The Finnish courts convicted him. That conviction is now confirmed as final following the exhaustion of appeal options. The maximum sentence he faces if extradited and brought before the court is seven years.

Seven years is a meaningful number. It is also not a given. Extradition from many jurisdictions is slow, contested and contingent on where Kivimäki is actually located. Finnish authorities have not disclosed which country they believe he is in. The wanted notice has been issued through standard international channels, according to Yle News, but there is no confirmed timeline for arrest or extradition proceedings.

Kivimäki was previously known to European law enforcement well before Vastaamo. He was convicted in Finland in 2015 for a series of computer crimes committed as a juvenile, including involvement in distributed denial-of-service attacks on gaming infrastructure and other network intrusions. He received a suspended sentence at that time. The Vastaamo breach occurred after that conviction.

What the Vastaamo Case Actually Tells Healthcare Providers

The sourced material accompanying this story includes generic recommendations about encryption, access controls and penetration testing. I am going to set those aside. They are not wrong but they are not what this case is actually about.

Vastaamo’s breach was not primarily a failure of encryption. It was a failure of basic database security. According to Wikipedia’s documented account of the incident, Vastaamo’s patient database was accessible with a root password that had not been changed from its default value. The database had been exposed to the internet. This is not a sophisticated attack requiring advanced defensive measures to prevent. It requires someone to check whether default credentials have been changed and whether the database is reachable from outside the internal network.

Healthcare providers across the Nordic region that hold sensitive patient records should ask one direct question, who has verified within the last 12 months, that your patient databases are not reachable from the public internet? Not assumed. Verified. The Vastaamo case shows what happens when the answer to that question is never asked at all.

Finland’s data protection authority, the Tietosuojavaltuutettu, ultimately fined the company 608,000 euros and Vastaamo was declared bankrupt in 2021. The patients are still living with the consequences.

References

  1. Finland Issues Wanted Notice for Hacker Behind Massive Psychotherapy Data Breach
  2. Police Issue Wanted Notice for Vastaamo Hacker Aleksanteri Kivimäki
  3. Hacker accused of breaching Finnish psychotherapy center facing 30,000 counts
  4. Vastaamo Data Breach
  5. Vastaamo Data Breach
  6. Vastaamo Hack My Darkest Secrets Were Revealed to the World

This post is also available in: Svenska

Per Häggdahl

Per Häggdahl is Head of Business Unit and CISO at eBuilder Security, with more than 20 years securing systems for banks, central banks, stock exchanges and central securities depositories, now leading the team that brings that same enterprise-grade protection to organisations of every size.