Notorious Finnish Hacker Jailed Over Patient Records Hack

Matthew Broersma,
Linkedin
Hacker Julius Kivimaki. Image credit: Europol

Finnish hacker Julius Kivimäki jailed for six years after blackmail attempts on 21,000 patients using stolen psychotherapy records

A notorious Finnish hacker has been sentenced to six years and three months in prison after attempting to extort ransom from tens of thousands of patients using records hacked from a private psychotherapy centre.

Länsi-Uusimaa District Court found that Aleksanteri “Julius” Kivimäki, 26, was guilty of offences including an aggravated data breach, nearly 21,000 aggravated blackmail attempts and more than 9,200 aggravated disseminations of information infringing private life.

The court said the “ruthless” crimes were “very damaging” to patients in a fragile state of mental health.

Lawyer Jenni Raiskio, representing 1,500 clients, told Finnish newspaper Hensingin Sanomat in March that several of the victims died by suicide after sensitive information was leaked.

Hacker Julius Kivimaki in a 2014 interview with Sky News. Image credit: Sky News
Julius Kivimaki in a 2014 interview with Sky News. Image credit: Sky News

Patient extortion

Kivimäki in 2018 hacked the computer network of the Vastaamo psychoterapy centre and downloaded its database on some 33,000 clients, according to prosecutors.

The Vastaamo clinic had branches throughout the country and acted as a private sub-contractor for Finland’s public health system.

Its chief executive was fired and prosecuted following the breach over a lack of proper security measures. The clinic later went bankrupt.

Kivimäki, who as a teenager was an extremely prolific hacker, took part in disabling the PlayStation Network and Xbox Live online gaming services over Christmas 2014, as part of the Lizard Squad hacking group.

He initially attempted to blackmail the clinic for about 370,000 euros ($396,000) in Bitcoin.

hacker, hacking, security, lizard squad
Kivimäki was part of the Lizard Squad hacking group.

Red Notice

When the clinic refused to pay, he began contacting thousands of patients directly in October 2020 and ordering them to pay 200 euros within 24 hours. If they refused the amount was raised to 500 euros.

About 20 people paid before the victims realised that Kivimäki had already accidentally leaked the entire database to a hacker forum, where it remains accessible today, the BBC reported.

Police suspected Kivimäki of the hack and in 2022 a Europol Red Notice was issued against him.

He was arrested last February in Paris, where he was found to be living with forged identity documents, and was extradited to Finland.

Prosecutors had sought seven years in prison, the maximum for such crimes under Finnish law. Due to the Finnish legal system Kivimäki is likely to serve about half his sentence.