Vastaamo

The Vastaamo data breach (2018–2020) involved the hacking of a Finnish psychotherapy provider’s database, exposing the personal and medical records of 33,000 patients, including highly sensitive therapy notes. The attacker, later identified as Aleksanteri Kivimäki, blackmailed both the company and individual victims, demanding ransom payments in cryptocurrency. When demands went unmet, the stolen data including records of children and trauma survivors was published online. The breach had devastating consequences, with reports linking it to suicides among victims due to the exposure of deeply private information. Kivimäki was convicted of aggravated data breach, 20 counts of extortion, over 20,000 attempted extortions, and 9,000 privacy violations, receiving a 6.5-year prison sentence (prosecutors sought 7 years). The case remains one of Finland’s largest cybercrime trials, with 24,000+ victims filing police reports. The prolonged legal battle and Kivimäki’s temporary release in 2024 have further traumatized victims, many of whom continue to suffer psychological and reputational harm.

Source: https://www.helsinkitimes.fi/finland/finland-news/domestic/27889-kivimaeki-walks-free-during-appeal-over-vastaamo-data-breach.html

TPRM report: https://www.rankiteo.com/company/chino

"id": "chi3092730091125",
"linkid": "chino",
"type": "Breach",
"date": "6/2018",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': '33,000 patients',
                        'industry': 'Healthcare',
                        'location': 'Finland',
                        'name': 'Vastaamo',
                        'type': 'Psychotherapy Provider'}],
 'attack_vector': ['Database Hacking',
                   'Extortion via Email/Online Publication'],
 'data_breach': {'data_exfiltration': True,
                 'number_of_records_exposed': '33,000',
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'Extremely High (included trauma '
                                        'therapy notes, some involving '
                                        'children)',
                 'type_of_data_compromised': ['Personal Identifiable '
                                              'Information (PII)',
                                              'Medical Records (Psychotherapy '
                                              'Sessions)',
                                              'Sensitive Health Data']},
 'date_detected': '2018',
 'date_publicly_disclosed': '2020',
 'description': 'Aleksanteri Kivimäki, convicted of thousands of cybercrimes '
                'linked to the 2018 hacking of psychotherapy provider '
                'Vastaamo’s database, was temporarily released from custody by '
                'the Helsinki Court of Appeal in 2024. The breach involved the '
                'theft of personal and medical records of 33,000 patients, '
                'followed by blackmail in 2020. When ransom demands were '
                'unmet, the data was published online, leading to severe '
                'consequences for victims, including reported suicides. '
                'Kivimäki was initially sentenced to six years and three '
                'months in prison in April 2024 for aggravated data breach, '
                'extortion, and privacy violations but maintains his '
                'innocence. The appeal trial is ongoing, with a final ruling '
                'expected later in 2024.',
 'impact': {'brand_reputation_impact': 'Severe damage due to sensitive nature '
                                       'of breach and publicized victim '
                                       'suffering (including suicides)',
            'customer_complaints': 'Over 24,000 police reports filed by '
                                   'victims',
            'data_compromised': ['Personal Records',
                                 'Medical Records (Psychotherapy Notes)'],
            'identity_theft_risk': 'High (personal and medical data exposed)',
            'legal_liabilities': ['Ongoing trial',
                                  'Potential decades-long sentence if all '
                                  'offenses judged separately'],
            'systems_affected': ['Vastaamo Database']},
 'initial_access_broker': {'high_value_targets': ['Psychotherapy patient '
                                                  'records']},
 'investigation_status': 'Ongoing (Appeal trial in progress, final ruling '
                         'expected in 2024)',
 'motivation': ['Financial Gain', 'Blackmail'],
 'ransomware': {'data_exfiltration': True, 'ransom_demanded': True},
 'references': [{'source': 'Helsinki Times (HT)'},
                {'source': 'Iltalehti (Finnish news outlet)'}],
 'regulatory_compliance': {'legal_actions': ['Criminal trial ongoing',
                                             'Initial sentence: 6 years and 3 '
                                             'months (April 2024)',
                                             'Prosecutor seeking 7 years '
                                             '(maximum under Finnish law)']},
 'response': {'law_enforcement_notified': True},
 'threat_actor': 'Aleksanteri Kivimäki (alleged)',
 'title': 'Vastaamo Psychotherapy Data Breach and Extortion Case',
 'type': ['Data Breach', 'Extortion', 'Blackmail', 'Privacy Violation']}

Vastaamo

Pax8: Cloud marketplace Pax8 accidentally exposes data on 1,800 MSP partners

Kaiser Permanente: Kaiser Permanente reaches $46 million settlement over data breach — how to file your claim

Grubhub: Grubhub confirms hackers stole data in recent security breach