In October 2020, Finland witnessed its most devastating cybercrime when psychotherapy provider Vastaamo suffered a catastrophic data breach affecting 33,000 patients. The hacker gained access to highly sensitive therapy session transcripts containing intimate details about suicide attempts, extramarital affairs, and childhood trauma.
The attacker employed a double-extortion strategy: first demanding €400,000 in bitcoin from Vastaamo, then targeting individual patients with personalized ransom emails. Meri-Tuuli Auer, one victim, received a message containing her full name, social security number, and therapy details, demanding €200 in cryptocurrency within 24 hours under threat of public exposure.
Finnish authorities launched an intensive investigation led by Detective Marko Lepponen, who described the case as unprecedented in scale. After two years, they identified Julius Kivimäki, a known cybercriminal, as the prime suspect. Kivimäki was arrested in France in February 2023 and extradited to Finland.
The trial became a national event, with 21,000 victims registering as plaintiffs. Court proceedings were broadcast in cinemas to accommodate the unprecedented number of affected individuals. Kivimäki received a six-year, seven-month prison sentence despite maintaining his innocence.
The aftermath continues to haunt victims years later. A search engine exists on the dark web allowing anyone to look up stolen therapy records by name. The breach has eroded trust in mental health services, with many former patients refusing to seek further therapy. Legal representatives report at least two suicides linked to the data exposure.
Auer’s journey represents both the profound trauma and remarkable resilience of victims. After initial paralysis and fear, she chose transparency—publicly acknowledging her victim status on social media, discussing her leaked secrets with family, and ultimately publishing a book titled ‘Everyone Gets to Know’ to reclaim her narrative from the hacker’s violation.