A cyber-thief who snatched tens of thousands of patients’ sensitive records from a psychotherapy clinic before blackmailing them and then leaking their files online has been caged for six years and three months.
The district court of Länsi-Uusimaa, Finland, sentenced Aleksanteri Kivimäki, 26, on Tuesday for crimes against the Vastaamo center and those in its care, which included more than 20,000 extortion attempts.
Specifically, a judge last month found Kivimäki guilty of 9,231 counts of aggravated dissemination of information infringing on individuals’ private lives, 20,745 counts of aggravated attempted blackmail, and 20 counts of aggravated blackmail. The former CEO of Vastaamo has already received a three-month suspended sentence for failing to protect his clients’ data.
Kivimäki’s extortion spree seemingly triggered so many complaints to the police, it caused Finland’s reported crime figures to skyrocket in a week, going beyond more than double the usual rate.
During Kivimäki’s trial, the judge separated the compensation claims related to the data theft at the Helsinki-based clinic from the criminal case, and these will be scheduled for later trials. Kivimäki, according to the district court, faces more than 5,000 compensation claims to date.
The massive privacy nightmare dates back almost six years to November 2018, when Kivimäki, known online as Zeekill, broke into Psychotherapy Center Vastaamo Oy’s IT system and downloaded the patient database. Shortly after, at least some of those patients’ sensitive information started appearing online.
Kivimäki demanded a €200 ($213) ransom payment from each Vastaamo patient, presumably to not leak their data in particular, and that reportedly jumped to €500 ($534) if the initial demand wasn’t paid within 24 hours. In addition to dumping names and contact information, the crook also leaked patients’ therapy records and session notes.
Finnish authorities issued a warrant for Kivimäki’s arrest in October 2022, and the scumbag was snared in France on February 3 last year.
The court determined the crimes had been committed using a server Kivimäki – who previously used the first name Julius – frequently used and he was a partial owner of the datacenter that housed this hardware. He was also found to have personally used an encryption key and IP address connected to the intrusion.
“Kivimäki’s guilt was also supported by the fact that he had published messages related to the data breach and extortion on the forum Ylilauda under his pseudonym in a purposeful and fixed temporal connection with the extortion actions,” the district court said.
All of this made it “implausible that Kivimäki would have been able to publish the messages in the way he did, if he had been outside the criminal organization and had only learned about it from the Supreme Court discussion or, for example, from the media.” ®