Vastaamo, a Finnish psychotherapy services provider that was at one point the largest private mental-health provider in Finland, suffered a data breach with two distinct phases. The original intrusion occurred between late 2018 and early 2019, exposing approximately 30,000 patient records from Vastaamo's centralized patient-records database. The breach remained undisclosed for over a year. In October 2020, the attacker launched a ransomware-style extortion campaign, first attempting to extort Vastaamo itself and then turning directly to individual patients, threatening to publish their therapy session notes unless they paid a personal ransom in Bitcoin.

The exposed dataset contained approximately 30,000 unique email addresses alongside names, Finnish personal identity codes (the equivalent of Social Security numbers), and verbatim psychotherapy session notes including clinician observations, patient disclosures, and treatment histories. The compromised therapy notes covered sensitive topics typical of psychotherapy including childhood trauma, sexual identity, substance use, family conflict, suicidal ideation, and other deeply private personal disclosures. The attacker, later identified as Finnish national Aleksanteri Kivimäki, posted batches of the data publicly on the dark web after Vastaamo refused to pay the corporate ransom.

For affected patients, the Vastaamo breach represented an unusually severe and durable harm profile that went beyond standard identity-fraud risk. Many individuals received personal extortion demands referencing real disclosures from their therapy sessions, and many of those disclosures were ultimately published. Finnish authorities documented at least one patient suicide following the breach. Affected patients faced lasting consequences including marriage and family disruption, employment risk where mental-health stigma applied, and ongoing psychological harm from the exposure of confidential therapy material. Vastaamo entered bankruptcy in early 2021. The attacker Kivimäki was convicted in Finland in 2024 and received a six-year prison sentence on multiple charges including aggravated extortion. The case fundamentally reshaped Finnish data-protection law regarding patient mental-health records and is widely cited as the most consequential mental-health data breach in European history.

Psychotherapy providers collect extremely sensitive patient identity, contact, billing, and detailed mental-health treatment records, including notes and therapy-related disclosures.

The Vastaamo breach is one of the most consequential healthcare data incidents in European history and led to fundamental changes in Finnish data protection law. Vastaamo declared bankruptcy and was liquidated in early 2021, with the parent company unable to recover from the regulatory, civil, and reputational consequences. In 2024, Finnish authorities convicted the attacker, Aleksanteri Kivimäki, on multiple counts including aggravated extortion, aggravated breach of personal data, aggravated dissemination of information violating personal privacy, and additional charges related to extortion of individual Vastaamo patients. Kivimäki received a six-year prison sentence. The Finnish parliament tightened patient-data security requirements following the breach, and the European data-protection community continues to reference Vastaamo as the leading case study in mental-health data breach harm.