Psychotherapy practice hacker gets jail time after extorting patients, publishing personal therapy notes online

On October 30, 2020, I started a article with the words:

“Hell is too nice a place for these people.”

The subject of this outrage focused on the cybercriminals behind an attack on Finnish psychotherapy practice Vastaamo. Because it was a psychotherapy practice, the records contained extremely sensitive and confidential information about some of the most vulnerable people.

Sadly, the attacker did not stop at extorting the clinic but also sent extortion messages to the patients, asking them to pay around $240 to prevent their data from being published online. And that was a first, as far as we know—not just demanding a ransom from the breached organization, but also from all those that were unlucky enough to have their data on record there.

The attacker demanded a €400,000 ($425,000) ransom from the company. When it refused to pay, he emailed thousands of patients asking for €200 and threatening to publish their therapy notes and personal details on the dark web if they didn’t pay. He ended up publishing it anyway.

As a result of this cyberattack and the extortion attempts:

  • Vastaamo’s board fired the CEO because they held him responsible for knowing about the breaches and of the shortcomings in the psychotherapy provider’s data security systems.
  • Vastaamo’s owner, who bought the practice a few months after the second breach but was not informed about it, began legal proceedings related to its purchase.
  • Vastaamo had to shut its doors because it could not meet its financial obligations.
  • The Finnish government contemplated expanding the options for individuals to change their social security number in certain circumstances, such as the aftermath of a hacking incident.
  • At least one suicide has been linked to the case.

Now the attacker has been convicted. 26-year-old Julius Kivimäki has been sentenced to six years and three months in prison. Kivimäki, known online as Zeekill, was one of the leading members of several groups of teenage cybercriminals which caused chaos between 2009-2015. One of those groups was the infamous Lizard Squad.

At the age of 17, Kivimäki was convicted of more than 50,000 computer hacks and sentenced to a two-year prison sentence, which was suspended because he was 15 and 16 when he carried out the crimes in 2012 and 2013.

Despite the conviction, the Vastaamo case is not over as civil court cases are now likely to begin to seek compensation for the victims of the hack.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection