In a shocking breach of privacy, a faceless hacker has stolen the therapy records of over 33,000 patients in Finland, exposing their deepest secrets to the world. The incident, which has been described as the country’s biggest-ever crime, has left a lasting impact on the victims and the nation as a whole.
The attack targeted Vastaamo, a leading mental health service provider in Finland. The hacker gained access to the company’s patient database and proceeded to demand a ransom from each individual, threatening to publish their personal information and therapy transcripts if the payment was not made. When Vastaamo refused to comply, the hacker carried out the threat, releasing the entire database on the dark web.
Meri-Tuuli Auer, one of the victims, recounts the harrowing experience. “That’s when the fear set in,” she says. “I took sick leave from work, I closed myself in at home. I didn’t want to leave. I didn’t want people to see me.” Auer had shared intimate details about her life, including her struggles with depression, binge drinking, and a secret relationship, with her therapist, never imagining that this information would be made public.
The impact of the data breach has been far-reaching. In a country of 5.6 million people, it seemed that everyone knew someone affected by the hack. The scandal became a national crisis, with the then-Prime Minister Sanna Marin convening an emergency meeting to address the situation.
Despite the efforts of Finnish authorities, the hacker proved elusive. It took two years of meticulous investigation before a suspect was identified: Julius Kivimäki, a known cybercriminal. In February 2023, Kivimäki was arrested in France and extradited to Finland to face charges.
The trial has been a monumental undertaking, with over 21,000 former Vastaamo patients registering as plaintiffs in the criminal case. Special screenings have been held in public spaces, including cinemas, to accommodate the sheer number of victims seeking justice.
For Auer, the sentencing of Kivimäki to six years and seven months in prison brought a sense of validation, though she acknowledges that no punishment could ever make up for the trauma inflicted. “Whatever sentence he was given could never make up for everything. The victims’ suffering was seen by the court – I was thankful for that,” she says.
The aftermath of the cyber attack continues to haunt the victims. Auer has requested a hard copy of her therapy records, which now sit on her table as a tangible reminder of the breach. The data has also been used to create a search engine that allows users to access the stolen records, perpetuating the violation of privacy.
Despite the challenges, Auer has chosen to confront her fears head-on. She has shared her story publicly, even writing a book about her experience, in an effort to reclaim her narrative. “I crafted it into a narrative. At least I can tell my side of the story – the one that’s not visible in the patient record,” she explains.
The Vastaamo cyber attack has shaken the foundations of trust in Finland’s healthcare system and left a lasting impact on the victims. As the country grapples with the aftermath, the case serves as a sobering reminder of the importance of robust cybersecurity measures and the need to protect the privacy and well-being of those seeking mental health support.
