The Finnish court has sentenced a 26-year-old man to six years and three months in prison for hacking tens of thousands of patient records at a private psychotherapy center and attempting to extort ransom from some of the affected individuals. The case, which came to light in October 2020, has sparked outrage in Finland, with a record number of about 24,000 people filing criminal complaints with the police. The defendant, Aleksanteri Kivimäki, was arrested in France in February 2023 and deported to Finland for trial, which concluded recently. The Länsi-Uusimaa District Court found Kivimäki guilty of aggravated data breach, blackmail attempts, and dissemination of private information.
The court described the crimes committed by Kivimäki as “ruthless” and “very damaging,” particularly considering the psychological impact on the victims. The hacker gained unauthorized access to the Vastaamo psychotherapy center’s information system in 2018 and downloaded the database containing details of approximately 33,000 clients. Lawyer Jenni Raiskio, representing around 1,500 clients, revealed that some victims had tragically died by suicide due to the sensitive nature of the leaked information. Vastaamo, which operated as a subcontractor for Finland’s public health system, went bankrupt in 2021 amid suspicions of insufficient data protection measures.
Prosecutors disclosed that Kivimäki initially demanded a significant sum of money in bitcoins from Vastaamo in exchange for not disclosing the patient records. When the center refused to comply, the hacker began publishing the information on the dark web and sent messages to patients requesting ransom payments ranging from 200 to 500 euros. Approximately 20 patients paid the demanded amounts, according to the prosecutors. Despite the charges brought against him, Kivimäki denied any wrongdoing and intends to appeal the court’s decision. His lawyer confirmed the possibility of filing an appeal against the verdict, given the maximum sentence of seven years sought by the prosecution.
Kivimäki’s criminal history includes previous convictions for hacking offenses committed at a young age, involving over 50,000 servers. He was also convicted in the United States for hacking incidents related to the U.S. Air Force and Sony Online Entertainment. The repercussions of the Vastaamo data breach prompted the Finnish government to expedite legislative changes enabling citizens to modify their personal identity codes in cases of severe data breaches with a heightened risk of identity theft. This measure aims to provide additional protection to individuals affected by data breaches, ensuring their privacy and security in the digital environment. The case underscores the importance of robust cybersecurity measures and stringent penalties for individuals engaging in cybercrimes that compromise sensitive personal information.
