Finnish Hacker Sentenced to 6 Years for Massive Psychotherapy Data Breach

Aleksanteri Kivimäki, a 26-year-old Finnish hacker, has been sentenced to prison, thousands, demanding ransoms for hacking the Vastaamo psychotherapy center's patient records and attempting to blackmail patients in 2020. Kivimäki was found guilty of an aggravated data breach, nearly 21,000 aggravated blackmail attempts, and over 9,200 aggravated disseminations of private information.

The court described Kivimäki's crimes as "ruthless" and "very damaging" to the psychological state of the victims. At least a few patients reportedly died by suicide due to the sensitive nature of the leaked information. Vastaamo, the psychotherapy center, was suspected of lax data protection and declared bankruptcy in 2021.

Kivimäki hacked into Vastaamo's system in 2018 and downloaded the records of around 33,000 clients. He then demanded a ransom of around 370,000 euros from Vastaamo, and when they refused, he began publishing patient information on the dark web and sending ransom demands to individual patients. About 20 patients paid the ransom of 200 or 500 euros.

The case caused outrage in Finland, with a record 24,000 people filing criminal complaints. Prosecutors had sought a 7-year sentence, the maximum under Finnish law. Kivimäki, who was arrested in France in 2023 and deported to Finland, had previously been convicted for hacking over 50,000 servers at age 15 and for hacking cases involving the U.S. Air Force and Sony Online Entertainment.

Why this matters: The Vastaamo data breach is considered one of the most serious cybersecurity incidents in Finland's history, impacting tens of thousands of vulnerable individuals. The case highlights the critical importance of robust data protection measures and the severe consequences that can result from security failures, especially when sensitive personal information is involved.

The Vastaamo case led the Finnish government to fast-track a legislative change allowing citizens to change their personal identity codes in cases of gross data breaches with a high risk of identity theft. Kivimäki maintained his innocence despite the evidence linking him to the crimes, including an IP address and a bitcoin payment traced to his bank account. The court's decision sends a strong message about the serious penalties for cybercrime and blackmail in Finland.

Key Takeaways

• Finnish hacker Aleksanteri Kivimäki sentenced for hacking psychotherapy center, leaking data
• Kivimäki accessed 33,000 patient records, demanded ransoms, leading to patient suicides
• Vastaamo psychotherapy center suspected of lax data protection, declared bankruptcy in 2021
• Kivimäki had prior convictions for hacking over 50,000 servers and U.S. Air Force systems
• Case led to legislative change allowing identity code changes for data breach victims