Vastaamo was a Finnish private psychotherapy service provider founded in 2008.[1] On 21 October 2020, Vastaamo announced that its patient database had been hacked. Private information obtained by the perpetrators was used in an attempt to extort Vastaamo and, later, its clients.[2] The extorters demanded 40 bitcoins, roughly worth 450,000 euros at the time, and threatened to publish the records if the ransom was not paid. To add pressure to their demands, the extorters published hundreds of patient records a day on a Tor message board.
After extortion of the company failed, the extorters sent emails to the clients whose data they had obtained, demanding that they pay ransoms in order to avoid publication of their sensitive personal data.[3][4][5][6] These ransom demands were sent to roughly 30,000 victims.[6] The company's security practices were found to be inadequate: the sensitive data was not encrypted and anonymized[7][6] and the system root did not have a defined password.[8][9][10] The patient records were first accessed by intruders in November 2018, while the security flaws continued to exist until March 2019.[5]
In December 2021, the Finnish Data Protection Authority (DPA) fined Vastaamo 608,000 euros for violating the provisions of the General Data Protection Regulation (GDPR).[9][10] This cyber-attack became the biggest criminal case in Finland history. It also turned into an international scandal and a cyber-attack unprecedented in its scope due to the tactic called double extortion applied by the cyber criminals.[11]
On October 28, 2022, the National Bureau of Investigation named the suspect behind the breach as 25-year-old Aleksanteri Julius Kivimäki.[12][13] Kivimäki was charged in absentia at Helsinki District Court for aggravated data breach, aggravated attempted extortion, aggravated distribution of information infringing private life, blackmail, breach of confidentiality and falsification of evidence.[12][14] An arrest warrant was filed with Europol and Interpol against Kivimäki stating that he was in Dubai.[14][13] In 2015, Kivimäki, then a member of Lizard Squad, was found guilty on over 50,000 counts of computer crime.[13][15]
Kivimäki was arrested in France on 3 February 2023.[16] He was extradited to Finland on 24 February.[17]
Background
Vastaamo was a Helsinki-based private psychotherapy center founded in 2008 that provided private mental-health services to its patients.[1] It was a firm with twenty-five therapy centers throughout the Nordic country of 5.5 million people.[18] Vastaamo operated as a sub-contractor for Finland's public health system.[19] Ville Tapio, ex-CEO of Vastaamo first heard from the hacker on 28 September 2020. He immediately notified various government authorities, including the police.[6] On 21 October 2020, Vastaamo announced that its confidential treatment records of approximately 36,000 psychotherapy patients and 400 employees[20] had been compromised.[11] The psychotherapy center received a ransom demand for 450,000 euros in Bitcoin.[19] The leaked patient database contained psychotherapy clients’ personal information, such as their full names, home addresses, email addresses, social security numbers, names of the clinics where they received treatments, and therapists’ and doctors’ notes from each session.[21][6]
As the company resisted to pay the ransom, the hacker, using the alias “ransom_man,”[18] published the therapist session notes of at least 300 patients,[22] including politicians and police officers,[23] on a public forum through the Tor network. The therapist session notes contained information about adulterous relationships, suicide attempts and pedophilic thoughts.[6] The hacker approached victims of the security breach directly with extortion emails demanding ransoms of 200 euros paid in Bitcoin, with the amount increased to 500 euros unless paid within 24 hours.[19] A 10-gigabyte data file containing private notes between at least 2,000 patients and their therapists had appeared on websites on the “dark web.”[18] Patient information was stolen during two attacks, which started as early as 2018. This first intrusion on Vastaamo's database took place in November 2018, and the systems were penetrated between the end of November 2018 and March 2019.[19][5] PTK Midco, a holding company owned by Intera Partners, a Finnish private equity firm, which acquired a 70% stake in Vastaamo in May 2019. The company has asked for inquiry into acquisition and also requested that its acquisition of the company be cancelled and the purchase price be returned for failure to disclose hacking.[23]
Ville Tapio was relieved of his duties as the chief executive of the psychotherapy center on 26 October 2020.[24] Vastaamo was declared bankrupt by the decision of the Helsinki District Court in February 2021.[10] In early March 2021, its staff and services were transferred to Verve, a provider of occupational welfare services. The company's patient database was not transferred over to Verve.[6]
Impact
The security breach has shaken societal trust in Finland's institutions, violated sensitive systems, and damaged faith in online social networks that are supposed to be properly secured. Thousands of victims have suffered anxiety, insecurity, and stress from this traumatic event, and the psychological effects from the trauma are long-lasting.[25] This created a national opportunity for public discussion about mental health issues.[25] Additionally, weak security of health-care systems has been brought to the surface. This hacking incident had a wide impact on healthcare industry's obligations to secure their networks and increase their accountability.[23] The security breach served as a wake-up call for Finland's cyber security who then increased preparation for digital attacks on medical healthcare providers and private education institutions.[26][27] Focus on balancing availability of information and data governance[21] has increased along with investments in companies' computer security since the hacking incident occurred. As a result of the data breach, the Finnish Data Protection Authority (DPA) started taking the violations of the GDPR more seriously and increased enforcement activities.[10] The outcomes of investigations of the security breach, and also any sanctions established, now serve as a reference point to any future legal assessments.[23]
Responding to the hack
Immediately following the hack, the cabinets from the Finnish government held their regular Wednesday meeting to address cybersecurity issues, create new legislation regarding data security and identity thefts, and promise emergency support for the victims.[26][28] More than 22,600 victims of blackmail in 2020 have visited The Victim Support Finland (RIKU), an organization that provides counseling and support to victims of crimes.[25] Various Finnish organizations have quickly established ways to help the victims, including direct dial-in numbers to churches and therapy services.[19] Organizations that provide victim support services include Finnish Red Cross, Mental Health Finland, Victim Support Finland and the Evangelical Lutheran Church of Finland.[29] Additionally, many companies working with social security numbers and debt collecting had taken action to help the victims whose identities have been stolen.[28] In order to rebuild public trust in the government and authorities, the Finnish central government requested that government agencies make sure the processing and handling of personal information is secure to minimize the leakage of personal data.[29] Additionally, ministries conducted reviews on what they can do better within their own departments and how they can assure the public about the security of their personal data.[29] The Finland's National Bureau of Investigation introduced an unprecedented Finnish criminal code, where a person can be found guilty of the privacy violation of the data subject when they process personal data, either intentionally or through gross negligence, and cause damage or significant inconvenience to the data subject.[23] Furthermore, the Finnish government accelerated legislation that allowed its citizens to change their personal identity codes when there is a data breach that would involve high risk of identity theft.[23]
Legal aftermath
In February 2023, 25-year-old Aleksanteri Kivimäki was extradited to Finland from France. He has since been kept in custody over crimes related to the hacking of patient records from the Vastaamo psychotherapy centre.[30]
In April 2023, Helsinki District Court sentenced the ex-CEO of Vastaamo, Ville Tapio, to a three-month suspended sentence. He was found guilty of a data protection crime mandated in the General Data Protection Regulation (GDPR).[31]
In October 2023, Aleksanteri Kivimäki was charged with stealing records of psychotherapy patients and over 21,000 counts of extortion.[32] His trial was scheduled to start on 13 November.[32]
In April 2024 Aleksanteri Kivimäki was sentenced to six years and three months in prison.[33] Author and information technology consultant Petteri Järvinen [fi] has used the relatively light sentence as proof that cybercrime often has no serious consequences for the perpetrator in Finland, even if the victims suffer from its results for the rest of their lives.[34]