On April 30, 2024, a 26-year-old computer hacker Aleksanteri Kivimäki was sentenced to 6 years and 3 months in prison in the Länsi-Uusimaa District Court in Finland.
Aleksanteri Kivimäki stole confidential therapist notes of 33,000 patient clients from Vastaamo, a Helsinki-based private psychotherapy company. Kivimäki also sought to extort Vastaamo and blackmail over 20,000 patient clients. This was perhaps one of the most devastating data security breach and extortion cases that will continue to have long-term effects on patients.
A EUROPOL WANTED POSTER FOR ALEKSANTERI “JULIUS” KIVIMÄKI PUBLISHED IN LATE 2022.
The data breach at Vastaamo was initially reported in October 2020. The company was asked to pay 40 bitcoins, roughly worth 450,000 euros ($531,000) at the time, by the hacker. When Vastaamo refused the extortion efforts, blackmail emails were sent to approximately 22,000 patients, according to Finnish police. The hacker (under the ransom_man alias) demanded ransoms of 200 euros ($236) that would be increased to 500 euros ($590) if not paid in 24 hours.
The Investigation into Vastaamo Data Breach
Shortly after on October 23, 2020, a large file with Vastaamo’s patient records were uploaded to the dark web. As noted security blogger Brian Krebs writes, the large “file also contained an entire copy of ransom_man’s home folder, a likely mistake that exposed a number of clues”, allowing investigators to zone in on the identity of the hacker.
A part of the investigation where details are murky seems to have involved Finnish investigators from the National Bureau of Investigation (KRP) conducting a small online transaction and sending 0.1 Bitcoin to the blackmailer’s address. KRP seemed to have used this to trace payments to Kivimäki.
In October 2022, Kivimäki had failed to show up for a hearing and absconded. Police issued an international arrest warrant. In February 2023, he was arrested in Courbevoie, France and brought back to Finland.
In their reporting of the trial, The Helsingin Sanomat newspaper notes that “the evaluation of the evidence as a whole” led to judgement against Kivimäki in the case.
Kivimäki was not unknown to the authorities previously, but got away with minimal consequences because he was a teen during some of his earlier hacking efforts. In 2012-2013, he carried out 50,700 DDoS (distributed denial-of-service) attacks for which he was found guilty in 2015. Kivimäki was also responsible for an August 2014 bomb threat directed at former Sony Online Entertainment President John Smedley while he was aboard American Airlines flight.
Vastaamo – System and Leadership Failure
By 2020, Vastaamo had grown to 25 therapy centers across Finland since its beginnings in 2008 making it the largest private therapy company in Finland. During the course of the investigations after the 2020 extortion, previous hackings into Vastaamo in 2018 and 2019 were uncovered.
Credit – Vastaamo, CC BY-SA 3.0 <https://creativecommons.org/licenses/by-sa/3.0>, via Wikimedia Commons
According to Finland’s Data Protection Ombudsman, “the most likely cause for the patient record database leak was an unprotected MySQL port in the database, in which the root user account of the database had not been password protected. The user account had also been granted the right to log into the database from any IP address. The patient record database server was open to the internet without the protection of a firewall at least from 26 November 2017 to 13 March 2019”.
The Fallout and Impact of the Hacking
- Given the failure to not have secure systems in place and for not disclosing previous hackings in 2018 and 2019, Vastaamo’s board fired its founder and CEO, Ville Tapio in October 2020.
- In May 2019, Intera Partners, a Finnish private equity firm, acquired a 70% stake in Vastaamo. Perhaps one of the factors in Vastaamo not disclosing previous hackings was to help the acquisition deal close. Intera Partners has pursued legal action against the Tapio family to claw back the money it invested.
- Vastaamo was required to declare bankruptcy in February 2021.
- In December 2021, Data Protection Ombudsman levied a fine of EUR 608,000 ($687,00) on Vastaamo for violating the General Data Protection Regulation (GDPR).
But the biggest impact is the one on patients and society. While any identity theft or cybercrime is a problem, the hacking of patient session data and notes in a psychotherapy context is a particularly major violation of trust.
In the ever increasing digitized health data world we live in, trusting healthcare data systems with personal information and/or as in this case, being haunted by the possibility of such private information showing up on the internet in later years is real. But there are also other worse outcomes.
Finnish newspaper Helsingin Sanomat, in March 2024, quotes lawyer Jenni Raiskio, who is representing some 1,500 patient clients saying that “In some of the cases, the victim has taken his own life when it became clear that the information had been leaked. Some have committed suicide during the criminal process.”
There are several resources available for people in crisis. If you or someone you know needs to talk to somebody who can help, please see below for how to reach these resources –
Crisis Resources
- National 988 Crisis Line – call or text 988, or chat 988lifeline.org
- Crisis Textline: text TALK to 741741
- Veterans Crisis Line: Call 800-273-8255 or text 838255
- Disaster Distress Helpline: Call 1-800-985-5990 or text TalkWithUs to 66746
Some Additional Resources
Below are links to important resources regarding HIPAA, patient confidentiality and rights and also list of providers currently under investigation –
- List of healthcare providers and companies currently being investigated due to a breach of Unsecured Protected Health Information affecting 500 or more individuals – https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- HIPAA Breach Rule and notification requirements, please see here – https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
- What to do in the case of an identity theft – https://www.identitytheft.gov/
- Patient Rights under HIPAA – How to verify and correct your medical record in case of identity theft – https://www.hhs.gov/hipaa/for-individuals/medical-records/index.html