Skip to content
CBCyber Breaches
Search
Data breachContained

Vastaamo psychotherapy data breach and patient extortion (Finland, 2020)

Records on approximately 33,000 patients of Finnish psychotherapy provider Vastaamo were stolen in 2018 from an unencrypted database with no root password. After failed company-extortion in October 2020, the attacker sent ransom demands to ~30,000 patients directly. Founder later acquitted; Aleksanteri Kivimäki convicted and sentenced to 6 years 3 months.

Victim
Vastaamo (Finnish psychotherapy centre)
Loss
$670.0K
records
33.0K
users
33.0K
SectorHealthcare
CountryFinland
Threat actorAleksanteri Kivimäki

The Vastaamo breach is the largest criminal case in Finland's history and the most severe example yet of mass extortion of individual patients following a healthcare data breach. Records on approximately 33,000 patients — including notes from therapy sessions — were stolen in 2018 from a database with no encryption and a root account that had no password. After company-extortion failed in October 2020, the attacker emailed ransom demands directly to the patients.

What happened

Vastaamo was a private psychotherapy provider operating clinics across Finland. In November 2018, an attacker accessed the patient database. The data was unencrypted, the system root account had no password. The records included extensive therapy notes — the kind of intimate, identifying detail that mental-health treatment requires.

The breach went undetected for two years. In September 2020, the attacker contacted Vastaamo demanding 40 BTC (~€450,000) and threatening publication. Vastaamo did not pay. On 21 October 2020, the company publicly disclosed the breach.

The attacker then escalated unusually. Rather than dump the data, they emailed ransom demands directly to the patients themselves — approximately 30,000 individual extortion attempts — threatening to publish each person's therapy notes. This was an order-of-magnitude escalation of healthcare-data extortion tactics and caused widespread distress across Finland.

Vastaamo filed for bankruptcy in February 2021. The Finnish Data Protection Authority fined the company €608,000 for GDPR violations in December 2021. In October 2022, Finland's National Bureau of Investigation named Aleksanteri Kivimäki, 25, as the suspect. In April 2024, he was convicted on the aggravated data breach charge plus over 21,000 counts of extortion and sentenced to 6 years 3 months in prison.

The case against former CEO Ville Tapio for the underlying GDPR-related negligence ended differently: a 3-month suspended sentence at first instance, then a unanimous acquittal on appeal in December 2025.

Impact

  • ~33,000 patients had therapy notes and identifying data stolen.
  • ~30,000 individual extortion emails sent to patients directly.
  • Vastaamo bankrupt; €608,000 GDPR fine.
  • Aleksanteri Kivimäki convicted (21,000+ counts) and sentenced to 6 years 3 months.
  • Former CEO acquitted on appeal.

Why it matters

Vastaamo is the case that changed how regulators and clinicians think about mental-health data protection. The attacker's choice to extort individual patients — by threatening to expose what they had told their therapist — was a deliberate escalation of healthcare data extortion tactics. The criminal case against the former CEO, even after acquittal, has been studied across Europe as a stress test for GDPR's individual-criminal-liability provisions.

Financial impact

Reported costs in USD

Total reported loss
670.0K
USD · $670,000
Ransom demanded
$530.0K
Ransom paid
Refused
  • Fines & settlements$670.0K

Timeline

  1. Vastaamo's patient database — unencrypted, root account without a password — is accessed and downloaded. The breach goes undetected for two years.

  2. Attacker contacts Vastaamo demanding 40 BTC (~€450,000) and threatens to publish patient records.

  3. Vastaamo publicly discloses the breach: ~33,000 patient records stolen, including therapy notes.

  4. After company-level extortion fails, the attacker emails ransom demands directly to ~30,000 individual patients, threatening to publish their therapy notes.

  5. Vastaamo files for bankruptcy.

  6. Finnish Data Protection Authority fines Vastaamo €608,000 for GDPR violations.

  7. Finland's National Bureau of Investigation names 25-year-old Aleksanteri Kivimäki as the suspect.

  8. Former CEO Ville Tapio receives a 3-month suspended sentence for the GDPR-related criminal failures.

  9. Aleksanteri Kivimäki is convicted on charges including aggravated data breach and over 21,000 counts of extortion; sentenced to 6 years 3 months.

  10. Helsinki Court of Appeal unanimously acquits former CEO Ville Tapio, finding insufficient evidence of the gross negligence required for criminal liability.

Sources

  1. en.wikipedia.orghttps://en.wikipedia.org/wiki/Vastaamo_data_breach
  2. krebsonsecurity.comhttps://krebsonsecurity.com/2024/04/man-who-mass-extorted-psychotherapy-patients-gets-six-years/
  3. therecord.mediahttps://therecord.media/finland-vastaamo-hacker-free-during-appeal-conviction
  4. helsinkitimes.fihttps://www.helsinkitimes.fi/finland/finland-news/domestic/27889-kivimaeki-walks-free-during-appeal-over-vastaamo-data-breach.html
  5. nelsonslaw.co.ukhttps://www.nelsonslaw.co.uk/when-confidentiality-fails-lessons-from-the-vastaamo-therapy-records-scandal/

Related incidents

Data breachContained

Yale New Haven Health data breach (2025)

Suspicious network activity at Yale New Haven Health led to the largest U.S. healthcare data breach of 2025: 5.5 million patients had names, contact details, dates of birth, medical record numbers, and Social Security numbers stolen. The health system later agreed to an $18 million class-action settlement.

Victim
Yale New Haven Health System
Loss
$18.0M
Records
5.6M