Helsinki: The 2020 cyberattack on Finland’s private psychotherapy provider Vastaamo has gone down as the country’s most devastating data breach. In the incident, confidential therapy records, identity codes and personal details of nearly 33,000 patients were stolen and later released on the dark web, shaking public trust in the digital healthcare ecosystem across Europe.
A Finnish court has now convicted hacker Aleksanteri (Julius) Kivimäki for serious privacy violations, extortion and cybercrimes, sentencing him to six years and three months in prison. The ruling is being seen as one of Finland’s toughest-ever punishments for a cyber offence involving healthcare data.
How the Attack Happened
In October 2020, a hacker operating under the alias “ransom_man” infiltrated Vastaamo’s servers. He initially demanded ₹3.7 crore from the company in exchange for not releasing the data. When the firm refused, he began directly emailing patients, demanding between ₹20,000 and ₹50,000 from each victim.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
He threatened to publish their most private therapy discussions online if they failed to pay. Within days, batches of 100 patients’ data at a time started appearing on the dark web, eventually culminating in the leak of the entire database, including names, addresses, identity numbers and deeply sensitive therapy notes.
Serious Security Negligence
A government investigation revealed that Vastaamo’s database had been left exposed online without password protection or a firewall, making it easily accessible to hackers. Cybersecurity experts described the lapse as “unacceptable for handling sensitive health records.”
The fallout was severe. By 2021, Vastaamo was declared bankrupt, and thousands of affected patients filed lawsuits for privacy invasion and emotional distress. The case quickly became a wake-up call for digital health companies across Europe.
Who is Aleksanteri Kivimäki
Kivimäki is a known figure in cybercrime circles and had previously been linked to several hacking incidents. He used to refer to himself online as the “Untouchable Hacker God.” In February 2023, he was arrested in Paris, France, while living under a fake identity.
Finnish prosecutors proved that he committed 9,598 counts of privacy violation and over 20,000 attempted extortions, making this one of the largest cyber-extortion cases ever prosecuted in the country.
Impact on Victims
The breach devastated thousands of families. Patients’ most personal struggles—ranging from depression and abuse to family trauma and suicidal thoughts—were suddenly made public. Many victims described the leak as “a violation of their innermost lives.”
According to Finnish authorities, at least two victims died by suicide or attempted to do so after their therapy details surfaced online. The case has highlighted the profound psychological harm that data breaches can inflict.
Government Response and Compensation
In response, the Finnish government proposed a compensation plan for the victims. The initial estimate suggests payouts between ₹50,000 and ₹2.5 lakh per person. However, civil rights groups argue that this is far below the scale of the mental and social damage suffered by the victims.
The government has since announced that it will tighten cybersecurity regulations and health data protection standards for all digital healthcare providers operating in Finland.
A Global Warning for Digital Healthcare
The Vastaamo incident has sent a strong message worldwide: digital health data is now a prime target for cybercriminals. Experts believe the breach will force governments and healthcare companies to reassess their encryption protocols, server protection systems and privacy laws.
Across the European Union and beyond, stricter measures are now being adopted to ensure that patients’ medical and psychological records remain secure.
