Imagine your therapist's confidential notes – your most private fears and vulnerabilities – suddenly published for the world to see. For 33,000 people in Finland, this digital nightmare became a terrifying reality, with consequences that were both profound and, in some cases, fatal. The perpetrator, Aleksanteri Kivimäki, has now been found guilty, but the scars from Finland's largest-ever data crime remain.
The Day Privacy Was Shattered
For Tiina Parikka, the horror began with an email on a Saturday in October 2020. The message, chillingly polite, informed her that her personal therapy records from Vastaamo, a nationwide psychotherapy provider, had been stolen. The sender demanded €200 in bitcoin within 24 hours to keep them secret. Failure to pay would see the price rise, and then her most intimate conversations would be published alongside her name, address, and social security number.
"My heart was pounding. It was really difficult to breathe," Parikka recalls. "It felt like a public rape." She had confided deeply personal trauma during three years of weekly sessions, including the immense challenges of raising disabled children. The violation was absolute.
She was far from alone. Across Finland, tens of thousands of Vastaamo patients received identical emails. These were individuals who, by seeking therapy, were often at their most vulnerable. The scale was staggering in a nation of just 5.6 million people.
A Hacker's Trail of Chaos and a CEO's Negligence
Unbeknownst to the victims, Vastaamo's CEO, Ville Tapio, had known about the ransom demand for weeks. A security investigation revealed the company's digital defences were shockingly lax. The patient database was accessible online with no firewall and, most egregiously, protected by a blank password.
While the company refused to pay, the hacker, using the handle 'ransom_man', began leaking records on the dark web. One hundred patient files were published daily, exposing notes detailing adultery, suicide attempts, and sexual violence, some belonging to children. The intent was to pressure Vastaamo, but a catastrophic error followed. In attempting to automate the leak, the hacker accidentally uploaded the entire database of 33,000 records, along with his own home folder – a digital treasure trove for investigators.
This mistake led cyber security expert Antti Kurittu, a former detective, to a familiar name. The chaotic file structure and juvenile naming (the main file was called "therapissed") reminded him of Aleksanteri 'Julius' Kivimäki, a hacker notorious from his teens for 'swatting' attacks, fake bomb threats, and leading the Lizard Squad group that took down PlayStation and Xbox networks on Christmas Day 2014.
Conviction, but Inadequate Justice?
The evidence was damning. Police traced a test bitcoin payment to Kivimäki's bank account. His credit card had paid for servers used in the leak. His IP address, from a London apartment near MI5 headquarters, was used to search the stolen database for his own name and family members' details, ensuring their records were purged before publication.
After an international manhunt, Kivimäki was arrested in a Paris suburb in February 2023. In April 2024, he was found guilty on all charges, including 9,600 counts of aggravated invasion of privacy and over 21,300 counts of attempted aggravated extortion. He received a sentence of six years and three months, less than the possible seven-year maximum.
Lead prosecutor Pasi Vainio estimates the collective suffering at 635 years, based on each victim enduring a conservative week of agony. At least two people are known to have taken their own lives after discovering their notes were online. For many victims, the sentence feels insufficient. Kivimäki, currently appealing, could be free by the end of this year.
In a prison interview, he showed no remorse, claiming he was framed. When asked about the victims' suicides, he callously stated, "These are nameless, faceless people."
The Lasting Fallout and a Warning for the Digital Age
Vastaamo declared bankrupt in 2021. Ville Tapio was initially convicted of criminal negligence, though this was later overturned on appeal. A civil case for damages against Kivimäki is underway, but he claims to have no assets. The Finnish government is offering compensation, but it is largely symbolic.
The true cost is a crisis of trust. "There are now maybe thousands of people who will never use therapy again," says Parikka. The stolen database remains in circulation, a permanent threat. In May 2025, Finnish police charged a second suspect, a US citizen in Estonia, with aiding the extortion.
The Vastaamo hack is a stark parable for our time. It exposes the fragility of our digital secrets and the profound human cost when systems fail. As Kivimäki himself cynically noted, our worst secrets often reside in corporate databases. In an age of AI and ubiquitous data collection, the case forces a harrowing question: In a world of unparalleled connectivity, can our innermost thoughts ever be truly safe?
