French police have arrested a 25-year-old Finnish man accused of hacking a psychotherapy clinic, stealing more than 22,000 patients’ therapy notes, demanding ransom payments from them and also leaking this very private info on a Tor website.
The suspect, who was arrested on February 3, remains in French custody while he awaits extradition to Finland. While the Finnish police didn’t release the man’s name, infosec journalist Brian Krebs reports that he’s Julius “Zeekill” Kivimäki, who has previously been convicted of “tens of thousands of cybercrimes.”
Finnish authorities issued a warrant for his arrest in October 2022. At the same time, Kivimäki was “arrested in absentia” by the Helsinki District Court for aggravated attempted extortion, aggravated computer break-in and aggravated dissemination of information violating personal privacy, according to the local cops.
The court will hold a new remand hearing once Kivimäki is sent back to Finland. “The aim is to interview the suspect as soon as possible,” Marko Leponen, detective chief inspector of the National Bureau of Investigation, said in a statement. Leponen is leading the investigation.
Back in October, Psychotherapy Center Vastaamo admitted the data breach after patients’ stolen details started appearing on the dark web.
“In recent days, the blackmailer has published sections of the information he obtained during the hacking,” the Helsinki-based clinical chain said at the time. “Now the blackmailer has begun to approach the victims of the breach with blackmail letters demanding a ransom.”
The now-ex CEO of Vastaamo, Ville Tapio, was later charged with data protection offenses, and the psychotherapy center declared bankruptcy.
Oddly, by the time the Vastaamo came clean about the stolen data in October 2022, the breach was more than three years old.
Company chairman Tuomas Kahri told local newspaper Helsingin Sanomat (in Finnish) that “no information has been leaked since November 2018”. He added, in a statement on the clinic’s website first issued last week, that “it is likely that our system [was also] infiltrated between the end of November 2018 and March 2019.”
Patients were reportedly blackmailed for €200 each, and the price tag jumped to €500 if the initial demand wasn’t paid within 24 hours, according to Krebs. Plus, in addition publishing names and contact details, which other cybercriminals could use for identity theft, the miscreant threatened to leak patients’ therapy session notes.
Law enforcement and security researchers estimate that the crook stole between 32,000 and 40,000 patients’ sensitive information. As of October, 22,000 victims had reported the crime to the police.
Kivimäki also had the dubious honor of being named one of Europol’s Most Wanted Fugitives last year. ®