In a cybercrime first, a hacker turned mental health records into ammunition, extorting not just a company, but its patients. In 2020, Finnish psychotherapy provider Vastaamo was breached in what experts now call the most psychologically devastating data leak in history. Over 30,000 deeply personal therapy records were weaponized for profit, shaking Finland and cybersecurity professionals alike.
This edition of Cybercrime Stories dissects how it happened, who was behind it, and what it means for the future of digital trust in healthcare.
First time seeing this?
🏥 What Was Vastaamo?
Vastaamo, founded in 2008, was Finland’s largest private psychotherapy provider. By 2020, it operated 25 clinics nationwide and had treated nearly 40,000 patients, many of whom were referred through Finland’s public healthcare system. As a key subcontractor to multiple hospital districts, Vastaamo effectively bridged public and private mental health care, making its digital infrastructure a single point of vulnerability for tens of thousands.
But the very system built to streamline therapy access became its undoing. Vastaamo’s digital architecture prioritized convenience over security. Its entire patient database, containing deeply personal therapy notes, was left unencrypted, and shockingly, the administrator (“root”) account had no password.
This negligence opened the door to a devastating breach. Attackers exploited the system, exfiltrated highly sensitive records, and later blackmailed both the company and its patients. The fallout was swift and severe. Trust eroded, legal action mounted, and patients were retraumatized en masse. By February 2021, overwhelmed by lawsuits, public outrage, and reputational collapse, Vastaamo declared bankruptcy. The once-vital pillar of Finnish mental health care was effectively dismantled, not by financial mismanagement, but by a total failure to protect patient privacy.
💥 The Incident
A Breach with a Human Toll
On October 21, 2020, Vastaamo disclosed a breach: sensitive data, including therapy session notes, Social Security numbers, and clinic visit logs, had been stolen. But the breach wasn’t new. Investigators later confirmed the attacker had first accessed the database in November 2018 and remained undetected for months.
The Extortion Phase
The attacker launched a double-extortion scheme:
Demand Number 1: €450,000 in Bitcoin from Vastaamo to prevent a leak.
When Refused: Hundreds of patient files were released daily on the dark web (Tor).
Demand Number 2: €200–€500 per patient, directly emailed to victims to suppress their data.
Over 22,000 patients received blackmail emails. Therapy records included disclosures of suicide attempts, abuse, and trauma, turning the hack into an act of psychological warfare. Finnish leaders called the crime “cruel,” “shocking,” and “inhumane.”
🛑 The Hack
A forensic audit revealed one of the most negligent cybersecurity setups ever seen in healthcare:
No password on root/admin account
Unencrypted SQL database (~10 GB)
No multi-factor authentication or access control
No development/test segmentation
Minimal logging or monitoring
Once inside, the attacker downloaded the entire database and quietly exfiltrated it over months. The breach had no ransomware encryption, only the threat of exposure.
🆘 The Impact
The Vastaamo breach affected over 33,000 patients, with 22,000 targeted individually in extortion attempts, the largest privacy violation in Finnish history.
CEO Ville Tapio was fired for concealing the earlier 2019 breach. In 2023, he received a three-month suspended sentence for GDPR violations.
Company fined €608,000 for delayed reporting and gross security lapses.
Vastaamo declared bankruptcy in 2021. Its clinics were later sold off.
The case triggered major policy reforms, including the right to change national ID numbers post-breach.
Victims were retraumatized as deeply personal therapy notes were leaked or weaponized, turning healing into harm.
The breach sparked a national debate on “psybersecurity”, forever changing how mental health data is protected.
📢 The Response
The Vastaamo breach wasn’t just a cybersecurity crisis; it was a national trauma. As the blackmail unfolded and therapy notes leaked online, thousands of victims faced fear, shame, and emotional devastation. When the breach went public in October 2020, Vastaamo’s board took internal action, but by then, the damage was irreversible.
Public Apology & Disclosure: Vastaamo publicly confirmed the breach, apologized, and notified key authorities, including the police, Finland’s National Cyber Security Centre, the health authority Valvira, and the Data Protection Ombudsman.
Security Audit Initiated: The company commissioned an independent forensic review to investigate the breach and began enhancing monitoring on its systems.
Forced to Notify Victims: Under regulatory pressure, Vastaamo was ordered to personally inform each affected patient, rather than rely on a general notice, underscoring the gravity of the breach.
Despite these actions, Vastaamo’s failure to secure data and delay in reporting the initial breach (from 2019) led to massive public backlash, legal penalties, and eventual bankruptcy.
Meanwhile, Finland mobilized at every level:
Emergency Hotlines Activated: Churches, mental health NGOs, and state services opened round-the-clock crisis counseling lines to support traumatized patients, many of whom feared public exposure of their most private confessions.
Cyber Volunteers to the Front: A grassroots cybersecurity force known as KyberVPK (Cyber Civil Defense) was formed. Volunteers helped victims secure their devices, accounts, and digital identities, offering practical steps for digital self-defense.
Credit Monitoring & Identity Protection: Finland’s financial institutions provided identity theft monitoring and support to impacted individuals. Later, the government passed legislation allowing citizens to change their national ID numbers in response to data breaches, which was previously not possible.
Legal & Regulatory Action: The Data Protection Ombudsman forced Vastaamo to notify all affected patients individually, not just via website updates. Regulators levied €608,000 in fines, and criminal cases were brought against company executives.
Finland’s response became a model for whole-of-society mobilization in the face of digital trauma. From therapists to hackers-turned-helpers, the nation rallied behind the victims, not only to contain the damage but to set a precedent: psychological data deserves the highest level of protection.
💻 The Culprit
In October 2022, Finnish police charged Aleksanteri Julius Kivimäki, a 26 year old cybercriminal known by the aliases “Ryan” and “Zeekill.” A former member of Lizard Squad, Kivimäki had a history of DDoS attacks and cyber harassment.
Arrested in France (Feb 2023), extradited to Finland.
Convicted in April 2024, sentenced to 6 years and 3 months.
As of May 2025, police have named a second suspect in Estonia, believed to have helped publish the data and prepare ransom materials.
🔐 Lessons for the Healthcare Sector
1. Psychological Data = Highest Risk
Psychotherapy notes are more sensitive than financial records. Breaches of this nature risk long-term trauma, stigma, and blackmail. Lesson: Treat such data as sacred. Protect it accordingly.
2. Security Hygiene Matters
No-password admin accounts and unencrypted databases are indefensible in any environment, especially healthcare. Lesson: Encryption, strong access control, and network segmentation are non-negotiables.
3. Patients Can Be Targets Too
Vastaamo pioneered “retail extortion”, targeting victims individually. Expect attackers to adapt this strategy elsewhere. Lesson: Companies must plan for extortion that goes beyond corporate systems.
4. Disclosure Delay Will Always Result in Disaster
The attacker had access in 2018. The company waited until late 2020 to notify anyone. That two-year silence magnified harm. Lesson: GDPR’s “notify without undue delay” isn’t just legal, it’s ethical.
⚖️ Policy Impact & “Psybersecurity”
The breach became a national cybersecurity turning point:
Finland passed laws allowing ID number changes after breaches.
Healthcare institutions underwent cyber audits.
Public attention shifted to “psybersecurity”: protecting mental health data with the same rigor as national defense.
As Mikko Hyppönen, CTO of F-Secure, put it:
“I’ve never seen anything like this. This was the worst misuse of private records I’ve ever encountered.”
🎯 What to Do In Similar Cases
For Healthcare Providers:
Encrypt everything: at rest and in transit
Require MFA and strong passwords for admin accounts
Segment networks and limit database access
Run penetration tests, log reviews, and incident simulations
Report breaches fast, waiting worsens damage
For Patients:
Monitor credit reports and online mentions of your data
Use unique passwords and enable MFA
Know your rights: under GDPR, you’re entitled to know who holds your data and how it’s secured
📌 Final Takeaway
The Vastaamo case reminds us that data breaches aren’t just IT failures; they’re human tragedies. In sectors like mental health, where trust is everything, cybersecurity is not optional. It’s a duty of care. The breach may be over, but the trauma lives on, for patients, providers, and a nation that trusted digital care would also be safe care.
Stay tuned as we uncover more real-life digital horrors on Cybercrime Stories.
Subscribe and Comment.
Copyright © 2026 911Cyber . All Rights Reserved.
Follow 911Cyber on: