Finland: Hacker in Vastaamo case sentenced to six years in prison

Aleksanteri Kivimäki has been sentenced to six years and three months in prison by the Western Uusimaa District Court in Finland for hacking into the Psychotherapy centre Vastaamo’s patient files and demanding 400,000 Euros as a ransom.

The incident which was brought to the attention of Finland's Data Protection Authority in 2020 resulted in approximately 33,000 individuals’ patient files being hacked.

At the time, the DPA imposed an administrative fine of 608,000 euros on Vastaamo for GDPR breaches; for neglecting its duties related to the safe processing of personal data as well as delayed reporting of the data breach. The company has filed bankruptcy which means that it is unlikely the victims will receive much in compensation, and it is therefore not likely that the fine will be paid.

Individuals have been forced to make claims on their own. “Currently, there is a class action law in Finland, but it only applies to disputes between consumers and companies and only the Consumer Advocate has the right to file lawsuits. The law has been in force since 2007, and class action has never been used. The possibility of filing a lawsuit has mainly acted as a deterrent for companies,” the Finnish Bar Association says.

Vastaamo’s former CEO, Ville Tapio, was served a three-month suspended prison sentence last year for failing to protect individuals’ sensitive data. The appeal hearing will begin next year.

See the DPA decision from January 2022.