A hacker got 6 years in prison for stealing therapy notes and blackmailing patients

Joshua Zitser
·3 min read

  • Hacker Aleksanteri 'Julius' Kivimäki was sentenced to over six years in prison.

  • He was found guilty of hacking a therapy company to steal notes and blackmail thousands of patients.

  • The case was described by the Finnish court as the 'largest ever' in the Nordic country.

A Finnish hacker has been sentenced to six years and three months in prison after he was found guilty of stealing confidential therapy notes to blackmail thousands of patients.

The District Court of Western Uusimaa announced the sentencing of Aleksanteri "Julius" Kivimäki on Monday.

The judges found the 26-year-old guilty of all counts, which included 9,231 counts of disseminating information violating personal privacy and 20,745 counts of attempted aggravated extortion.

He was charged last October, after being extradited from France to Finland.

According to BBC News, Kivimäki targeted around 33,000 people.

In a bulletin published by Finland's judiciary system, the court said that the Vastaamo private psychotherapy service, which operated therapy centers across Finland, was hacked in November 2018.

The company's patient database was then illegally copied, it said.

According to BBC News, Kivimäki demanded a ransom of more than 400,000 euros, or $426,818, from the therapy company in 2020.

The Associated Press reported that the demand was higher — 450,000 euros, or about $480,000, to be paid using bitcoin.

When the company refused to comply, Kivimäki emailed thousands of patients asking them all for 200 euros, or $213, while threatening to publish their confidential therapy notes and personal details online if they didn't pay up, BBC News reported.

According to AP, he said the ransom would increase to 500 euros, or $534, in bitcoin if it wasn't paid within 24 hours.

A trove of confidential information then surfaced on the dark web, including patients' personal details, Social Security numbers, and sensitive therapist and doctor notes from sessions.

One man told WIRED that information discussed with his therapist about his abusive parents and drug and alcohol use was leaked online.

The BBC noted that at least one suicide has been linked to the case.

Kivimäki denied all the charges, but the legal bulletin cited evidence presented in the trial appearing to show his involvement.

For example, he had used a pseudonym to comment on the hacking and extortion in an online message board.

The court also found that Kivimäki had used a server implicated in the crimes more extensively than he had admitted in the trial, and used an encryption key and IP address in a way he had denied in his testimony.

The court also cited a payment of 0.1 bitcoin made by the National Bureau of Investigation in 2020 that appeared to reach Kivimäki.

"The quality of the crime was exceptional, and due to the number of parties involved, it was the largest ever in our country," the bulletin said.

The court proceedings have yet to address compensation claims for the victims.

Brunswick, an international public relations firm, said that healthcare data is disproportionally susceptible to extortion.

A 2019 study in the Studies in Health Technology and Informatics journal outlined how healthcare data is particularly valuable to cybercriminals because it can contain financial and personal information that can be used for blackmail and fraudulent purposes.

According to data from the US Department of Health and Human Services, over 40 million people in the US were affected by healthcare data breaches in 2021.

Read the original article on Business Insider