Hacker accessed thousands of psychotherapy records before demanding ransoms

For free real time breaking news alerts sent straight to your inbox sign up to our breaking news emails

Sign up to our free breaking news emails

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

A 26-year-old man has been jailed for six years and three months after hacking tens of thousands of patient records at a private psychotherapy center and seeking ransom from patients.

The case was initially revealed in October 2020, and caused outrage and shock in the Finland, with a record number of people — about 24,000 — filing criminal complaints with police.

Lawyer Jenni Raiskio, who is representing some 1,500 clients, told the Finnish newspaper Helsingin Sanomat in March that at least a few of the victims died killed themselves due to the sensitive nature of information in the leaked files.

In February 2023, French police arrested well-known Finnish hacker Aleksanteri Kivimäki, who was living under a false identity near Paris and deported him to Finland.

His trial ended last month.

The Länsi-Uusimaa District Court said Kivimäki was guilty of, among other things, an aggravated data breach, nearly 21,000 aggravated blackmail attempts and more than 9,200 aggravated disseminations of information infringing private life.

The court called the crimes “ruthless” and “very damaging” considering the psychological state of the people involved. According to the charges, Kivimäki in 2018 hacked into the information system of the Vastaamo psychotherapy center and downloaded its database of some 33,000 clients.

Vastaamo, which was suspected of lax protection of client data and declared bankruptcy in 2021, had branches throughout the country and operated as a sub-contractor for Finland’s public health system.

Prosecutors said Kivimäki first demanded that Vastaamo pay him an amount equivalent to around 370,000 euros ($396,000) in bitcoins in exchange for not publishing the patient records.

When the center refused, Kivimäki in 2020 began publishing patient information on the dark web and sent patients messages demanding a ransom of 200 euros or 500 euros. About 20 patients paid, prosecutors said.

Kivimäki denied all the charges. His lawyer said he would likely appeal. Prosecutors had sought seven years in prison, the maximum for such crimes under Finnish law.

Kivimäki was first convicted at age 15 after hacking into over 50,000 servers with software he developed, Finnish newspaper Ilta-Sanomat reported in 2022.

In the United States, he was convicted over hacking cases involving the US Air Force and Sony Online Entertainment.

The Vastaamo case led the Finnish government to fast-track a legislative change that allows citizens to change their personal identity codes.