In late October 2020, Tiina Parikka was at home in Vantaa, Finland, when she received an email that would change her life. The message contained her name and social security number, demanding a ransom to keep her therapy records private. It was a chilling moment for Parikka, a headteacher dealing with the aftermath of a COVID outbreak at her school. The email was polite yet threatening, demanding €200 in bitcoin within 24 hours, or €500 within 48 hours, with the promise of exposing her most personal therapy notes if she failed to comply.
Parikka was not alone. Across Finland, 33,000 individuals who had used Vastaamo’s psychotherapy services found themselves victims of a massive data breach. The hacker, known as ransom_man, had accessed therapy notes and was holding them to ransom. The incident was unprecedented in Finland, a country known for its high-tech innovations and cybersecurity prowess.
The Scope of the Breach
The breach exposed sensitive information, including therapy notes of politicians, police officers, and public figures. The hacker began leaking records online, escalating the pressure on Vastaamo. The breach was not just a financial threat but a deeply personal violation for the victims. Some individuals, unable to cope with the exposure, tragically took their own lives.
Vastaamo, once a beacon of accessible mental health care, was now at the center of Finland’s largest cybercrime. Founded in 2008, the company had grown rapidly, offering digital therapy services that were both convenient and affordable. However, the breach revealed significant security lapses, including an unsecured patient records database accessible via the internet.
Tracing the Hacker
Investigations led by cybersecurity expert Antti Kurittu pointed to Julius Kivimäki, a notorious figure in the hacking community. Known online as zeekill, Kivimäki had a history of cybercrimes, including involvement with the group Lizard Squad, infamous for disrupting Xbox and PlayStation networks.
Kivimäki’s past was marked by audacious hacks and a brazen attitude, once describing himself as an “untouchable hacker god.” Despite his notoriety, the investigation into the Vastaamo breach was complex, involving terabytes of data and over 21,000 criminal reports. However, a critical mistake by the hacker—uploading his home folder—provided investigators with the evidence needed to link Kivimäki to the crime.
The Trial and Its Implications
In November 2023, Kivimäki faced trial, charged with thousands of counts of aggravated invasion of privacy and attempted extortion. The trial was a logistical challenge, with over 21,000 victims involved. Proceedings were broadcast to public spaces, allowing victims to witness the trial in real-time.
On April 30, 2024, Kivimäki was found guilty and sentenced to six years and three months in prison. The sentence, while significant by Finnish standards, was seen by many as insufficient given the scale of the crime. Kivimäki’s appeal is ongoing, but he is expected to be released by the end of the year.
“The sentencing scale is too low, in my opinion. But that’s the framework we have in Finland,” said Pasi Vainio, the lead prosecutor.
Looking Forward
The Vastaamo breach has left a lasting impact on Finland’s approach to cybersecurity and mental health services. The company was declared bankrupt in 2021, and its CEO, Ville Tapio, faced charges of criminal negligence, although his conviction was later overturned.
For victims like Parikka and Meri-Tuuli Auer, the breach was a profound violation of trust. Many have joined a civil case seeking damages from Kivimäki, although recovering compensation remains uncertain. The Finnish government has offered symbolic compensation to victims, but the emotional and psychological damage persists.
The case has raised questions about privacy in the digital age. As Kivimäki himself noted, “So many of our worst secrets exist online. You fundamentally want to believe in this privacy. But, on the other hand, I don’t know how you’re going to get there.”
The Vastaamo breach serves as a stark reminder of the vulnerabilities inherent in our increasingly digital world. It underscores the need for robust cybersecurity measures and the importance of safeguarding personal information, particularly in sensitive areas like mental health.
