AP Technology

Finnish hacker imprisoned for accessing thousands of psychotherapy records and demanding ransoms

FILE - Exterior view of the offices of Vastaamo psychotherapy centre, in Pasila, Helsinki, Saturday, Oct. 24, 2020. A Finnish court on Tuesday sentenced a 26-year-old man to six years and three months in prison for hacking tens of thousands of patient records at a private psychotherapy center and seeking ransom from some patients over the sensitive data. (Heikki Saukkomaa/Lehtikuva via AP, File)

HELSINKI (AP) — A Finnish court on Tuesday sentenced a 26-year-old man to six years and three months in prison for hacking tens of thousands of patient records at a private psychotherapy center and seeking ransom from some patients over the sensitive data.

The case that was initially revealed in October 2020, has caused outrage and shock in the Nordic nation, with a record number of people — about 24,000 — filing criminal complaints with police.

In February 2023, French police arrested well-known Finnish hacker Aleksanteri Kivimäki, who was living under a false identity near Paris and deported him to Finland. His trial ended last month.

The Länsi-Uusimaa District Court said Kivimäki was guilty of, among other things, an aggravated data breach, nearly 21,000 aggravated blackmail attempts and more than 9,200 aggravated disseminations of information infringing private life.

The court called the crimes “ruthless” and “very damaging” considering the psychological state of the people involved. According to the charges, Kivimäki in 2018 hacked into the information system of the Vastaamo psychotherapy center and downloaded its database of some 33,000 clients.

Lawyer Jenni Raiskio, who is representing some 1,500 clients, told the Finnish newspaper Helsingin Sanomat in March that at least a few of the victims died by suicide due to the sensitive nature of information in the leaked files.

Vastaamo, which was suspected of lax protection of client data and declared bankruptcy in 2021, had branches throughout the country and operated as a sub-contractor for Finland’s public health system.

Prosecutors said Kivimäki first demanded that Vastaamo pay him an amount equivalent to around 370,000 euros ($396,000) in bitcoins in exchange for not publishing the patient records.

When the center refused, Kivimäki in 2020 began publishing patient information on the dark web and sent patients messages demanding a ransom of 200 euros or 500 euros. About 20 patients paid, prosecutors said.

Kivimäki denied all the charges. His lawyer said he would likely appeal. Prosecutors had sought seven years in prison, the maximum for such crimes under Finnish law.

Kivimäki was first convicted at age 15 after hacking into over 50,000 servers with software he developed, Finnish newspaper Ilta-Sanomat reported in 2022.

In the United States, he was convicted over hacking cases involving the U.S. Air Force and Sony Online Entertainment.

The Vastaamo case led the Finnish government to fast-track a legislative change that allows citizens to change their personal identity codes — a key to accessing public and private services — in cases of gross data breaches that carry a high risk of identity theft.