Executive summary: A massive data breach at Finnish psychotherapy firm Vastaamo has left thousands of patients’ most intimate therapy notes exposed online, following a ransomware attack by a hacker who demanded bitcoins and later published the entire database. The incident, which began in 2020, has had lasting psychological impacts on victims, with one woman, Meri-Tuuli Auer, sharing her story of resilience after her deepest secrets were leaked.
In October 2020, Meri-Tuuli Auer received a threatening email in her junk folder that contained her full name and social security number, demanding €200 in bitcoin within 24 hours to prevent her therapy notes from being published. The sender, who had hacked into Vastaamo’s patient database, knew intimate details about Auer’s life that she had shared only with her therapist, including her mental health struggles and a secret relationship. Auer, like 33,000 other Vastaamo patients, was held to ransom by this faceless hacker, who had accessed records containing sensitive information such as suicide attempts, affairs, and child sexual abuse. The fear of exposure led Auer to take sick leave and isolate herself at home, terrified that her private thoughts would become public knowledge.
The Vastaamo hack quickly escalated into Finland’s biggest-ever crime, prompting then Prime Minister Sanna Marin to convene an emergency meeting of ministers. Despite efforts to respond, the hacker had already published the entire stolen database on the dark web before sending the ransom emails, ensuring that copies of the therapy notes circulated widely. In a country of 5.6 million people, nearly everyone knew someone affected, turning the breach into a national scandal. The notes, which included transcripts of therapy sessions, have remained accessible online for years, with victims continuing to face harassment and mockery.
Finnish police faced a daunting investigation due to the volume of data, but after two years, they identified the suspect as Julius Kivimäki, a known cybercriminal. Kivimäki was arrested in France in February 2023 and extradited to Finland, where he was tried in a case with 21,000 plaintiffs, necessitating public screenings in cinemas for victims to watch the proceedings. Auer attended one of these screenings and was struck by Kivimäki’s ordinary appearance, which made the crime feel even more unsettling. In the end, Kivimäki was found guilty and sentenced to six years and seven months in prison, though he continues to deny involvement.
The personal toll on victims has been severe. Auer, who has struggled with depression and anxiety for most of her life, found that reading her leaked therapy notes was heartbreaking, as they described her in harsh terms that made her feel sorry for her past self. The breach has eroded trust in mental health services, with many former Vastaamo clients vowing never to seek therapy again. Tragically, the lawyer representing victims reported at least two suicides linked to the exposure of therapy records, highlighting the profound emotional damage caused by the hack.
In response to the trauma, Auer decided to confront her fears head-on by publicly disclosing her victim status on social media and discussing her leaked secrets with her family, who offered support. She took back control of her narrative by publishing a book titled “Everyone Gets to Know,” where she shares her side of the story beyond what was captured in the clinical notes. Auer has come to accept that her secrets will always be available online, but she focuses on her wellbeing by not dwelling on it, demonstrating remarkable resilience in the face of violation.
The Vastaamo case underscores broader issues in cybersecurity and data protection, especially for sensitive health information. Even years after the initial breach, victims continue to be victimized through tools like a dark web search engine that allows anyone to find therapy records by name. This ongoing accessibility highlights the challenges in containing digital leaks and the need for stronger safeguards to prevent similar incidents in the future.
As cybercrimes targeting personal data become more common, the Vastaamo hack serves as a stark reminder of the human cost behind digital breaches. It has sparked conversations in Finland and beyond about privacy, mental health stigma, and the ethical responsibilities of companies handling sensitive information. Moving forward, efforts to improve cybersecurity measures and support for victims will be crucial in mitigating the impacts of such invasive attacks.
