Aleksanteri Kivimäki, a 26-year-old Finnish man, has been sentenced to six years and three months in prison for hacking patient records at a psychotherapy center. The charges against him included aggravated data breach, blackmail attempts, and disseminating private information. The case sparked outrage in Finland, with a record number of 24,000 people filing criminal complaints. Kivimäki was found guilty of hacking thousands of patient records and seeking ransom from some of the patients over the sensitive data.
Kivimäki was arrested in February 2023 by French police and deported to Finland after he was found living under a false identity near Paris. His trial concluded last month, resulting in the conviction and sentencing. The Länsi-Uusimaa District Court called the crimes committed by Kivimäki “ruthless” and “very damaging” given the impact on those involved. The charges against him included nearly 21,000 aggravated blackmail attempts and over 9,200 aggravated disseminations of information infringing private life.
In 2018, Kivimäki hacked into the information system of the Vastaamo psychotherapy center and downloaded the database of around 33,000 clients. Vastaamo, which filed for bankruptcy in 2021, had branches across Finland and worked as a sub-contractor for the country’s public health system. Kivimäki initially demanded a ransom of approximately $396,000 in bitcoins from Vastaamo, threatening to publish the patient records if they did not comply. When the center refused, Kivimäki began posting patient information on the dark web and sending messages to patients demanding a ransom ranging from 200 to 500 euros, with around 20 patients paying.
Kivimäki denied all charges against him, and his lawyer indicated that he would likely file an appeal. Prosecutors in the case had sought a seven-year prison sentence, which is the maximum penalty for such crimes under Finnish law. Kivimäki’s criminal history dates back to when he was 15, with reports of hacking into over 50,000 servers using software he developed. He has also been convicted in the United States for hacking cases involving the U.S. Air Force and Sony Online Entertainment. The case highlights the importance of cybersecurity and the severe consequences of hacking and data breaches.