Decoding the world of cybersecurity

Vastaamo hacker wanted after appeal fails

Finnish police have issued a wanted notice for Aleksanteri Kivimäki after the Supreme Court refused him leave to appeal his sentence in the Vastaamo case.

Vastaamo hacker wanted after appeal fails
Summary
  • Finnish police issued a nationwide wanted notice for Aleksanteri Kivimäki after his appeal route closed.
  • Kivimäki was convicted over the Vastaamo psychotherapy centre breach and extortion case.
  • The case remains a major European example of sensitive health data harm, criminal accountability, and cyber governance failure.

Finnish police have issued a nationwide wanted notice for Aleksanteri Kivimäki after Finland’s Supreme Court refused him leave to appeal his prison sentence in the Vastaamo psychotherapy centre hacking and extortion case.

The notice was issued at the request of Finland’s Criminal Sanctions Agency, according to Finnish public broadcaster Yle. Police said Kivimäki is to be arrested if found and taken to prison to serve his sentence. His lawyer told Yle that Kivimäki was not in prison and was believed to be abroad, although his precise whereabouts were not known.

Kivimäki was convicted over the cyberattack and attempted extortion targeting Vastaamo, a private psychotherapy provider. The breach exposed highly sensitive patient records and became one of Europe’s most severe examples of cybercrime causing direct personal harm. The Helsinki Court of Appeal increased his sentence in February to six years and 11 months, one month below the maximum penalty available.

The latest police action moves the case from conviction and appeal into sentence enforcement. It does not alter the technical record of the breach, but it brings renewed focus to a case where the consequences reached far beyond service disruption, regulatory exposure, or financial loss. Therapy records were used as leverage against both the company and individual patients, creating harm that could not be contained through system recovery or breach notification.

Vastaamo remains a hard European benchmark for sensitive data governance. Organisations that hold health, social care, legal, safeguarding, employment, education, or counselling records need to understand where that data sits, who can access it, how it is protected, how long it is retained, and what would happen if it were stolen. Encryption, access control, vulnerability management, monitoring, backup discipline, and supplier oversight become much more consequential when the exposed data is intimate and enduring.

The case also exposed the limits of treating cyber risk as an IT control problem. Extortion against individuals changes the shape of an incident. Crisis plans need to account for victim support, law enforcement coordination, communications, identity protection, safeguarding, and long-term claims management. Those arrangements cannot be built after attackers have already contacted patients, customers, or clients.

European regulation has moved towards the same conclusion. GDPR enforcement, NIS2 obligations for relevant sectors, and wider resilience requirements all increase pressure on organisations to demonstrate that cyber risk is being managed before an incident. Sensitive data environments require a higher standard of governance because the failure mode is personal, not only operational.

Yle’s report on the wanted notice says the Vastaamo breach is considered the largest criminal case in Finnish history by number of victims. Police now have instructions to detain Kivimäki if he is found. The case continues to show how poor protection of sensitive data can become a lasting criminal, regulatory, and human harm event.

×