A Finnish court has handed down a six-year and three-month prison sentence to 26-year-old Aleksanteri Kivimäki for his involvement in hacking and attempting to extort tens of thousands of patient records from a private psychotherapy center.
This case, which first emerged in October 2020, has sparked a loud public outcry and led to widespread legal action in Finland.
Vastaamo Hack Issue
The breach occurred at the Vastaamo psychotherapy center, where Kivimäki illegally accessed and downloaded a database containing approximately 33,000 client records in 2018.
As reported by Bloomberg, the Länsi-Uusimaa District Court found Kivimäki guilty of an aggravated data breach, nearly 21,000 counts of aggravated blackmail, and over 9,200 instances of aggravated dissemination of information infringing on private life. Moreover, the court described Kivimäki's actions as "ruthless" and "very damaging," particularly given the vulnerable psychological state of the affected individuals.
Serious Effect on Mental Health of the Victims
The data breach had profound effects on the victims, with reports from the Finnish newspaper Helsingin Sanomat noting that some individuals affected by the leaks tragically ended their own lives due to the sensitive nature of the information exposed.
Lawyer Jenni Raiskio, representing about 1,500 clients, emphasized the devastating impact on those whose private details were disclosed.
Ransom Demands and the Court's Decision Under Finland's Law
Prosecutors detailed how, after Vastaamo-which rebuffed his initial blackmail attempt involved a demand for payment of around 370,000 euros ($396,000) in bitcoins-Kivimäki resorted to publishing the stolen patient data on the dark web in 2020. He also directly demanded ransoms of 200 to 500 euros from individual patients, with about 20 victims complying with his demands.
Despite his denials of the charges, the court's decision reflects the severity of the crimes. Prosecutors initially sought a seven-year sentence, the maximum under Finnish law for such offenses.
Finnish Hacker is Not New Anymore to Hacking
Kivimäki is no stranger to the legal system. As reported by Ilta-Sanomat in 2022, he was first convicted at the age of 15 for hacking over 50,000 servers with his own software.
According to ABC News, this hacking experience even extended internationally, with convictions in the United States related to breaches involving the U.S. Air Force and Sony Online Entertainment.
The Vastaamo case has had serious consequences beyond the courtroom, prompting the Finnish government to fast-track legislative changes. These include allowing citizens to change their personal identity codes to prevent identity theft and highlighting the case's influence on national security and privacy laws.
As the case concludes with Kivimäki's sentencing, it serves as a harsh reminder of the vulnerabilities in digital data security and the severe consequences of exploiting them.
The Finnish legal system is determined this time to protect the individual privacy of the people and deter cybercrime through stringent legal measures.