Vastaamo 2019 Data Breach

Vastaamo Psychotherapy Provider Breach (Finland, 2019): Therapy Session Notes & Patient SSN Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Aleksanteri Kivimäki ("ransom_man") - convictedRansomwareMedicalEmail AddressFull NameHealth InformationSocial Security Number
Moderate SeverityWebsite / service breach

Vastaamo Psychotherapy Provider Breach (Finland, 2019): Therapy Session Notes & Patient SSN Exposed

Finnish psychotherapy services provider.

Verified by ObscureIQ Intelligence
54/100Breach Risk Index
40Data Value
10Market Recency
1745dSince Breach

Breach Intelligence Summary

Entity: Vastaamo · Actor: Aleksanteri Kivimäki ("ransom_man") - convicted · Sources: 4 references
Attack: Ransomware
Profile: Healthcare provider · Psychotherapy and mental health services · Clinical care provider · Finland
Timeline: Breach (2019-03-31) · Indexed (Jul 17, 2021) · Year (2019)
Exposure: 30K records · 4 fields: Email Address, Full Name, Health Information, Social Security Number
Status: Confirmed

Executive Summary

Vastaamo, a Finnish psychotherapy services provider that was at one point the largest private mental-health provider in Finland, suffered a data breach with two distinct phases. The original intrusion occurred between late 2018 and early 2019, exposing approximately 30,000 patient records from Vastaamo's centralized patient-records database. The breach remained undisclosed for over a year. In October 2020, the attacker launched a ransomware-style extortion campaign, first attempting to extort Vastaamo itself and then turning directly to individual patients, threatening to publish their therapy session notes unless they paid a personal ransom in Bitcoin. The exposed dataset contained approximately 30,000 unique email addresses alongside names, Finnish personal identity codes (the equivalent of Social Security numbers), and verbatim psychotherapy session notes including clinician observations, patient disclosures, and treatment histories. The compromised therapy notes covered sensitive topics typical of psychotherapy including childhood trauma, sexual identity, substance use, family conflict, suicidal ideation, and other deeply private personal disclosures. The attacker, later identified as Finnish national Aleksanteri Kivimäki, posted batches of the data publicly on the dark web after Vastaamo refused to pay the corporate ransom. For affected patients, the Vastaamo breach represented an unusually severe and durable harm profile that went beyond standard identity-fraud risk. Many individuals received personal extortion demands referencing real disclosures from their therapy sessions, and many of those disclosures were ultimately published. Finnish authorities documented at least one patient suicide following the breach. Affected patients faced lasting consequences including marriage and family disruption, employment risk where mental-health stigma applied, and ongoing psychological harm from the exposure of confidential therapy material. Vastaamo entered bankruptcy in early 2021. The attacker Kivimäki was convicted in Finland in 2024 and received a six-year prison sentence on multiple charges including aggravated extortion. The case fundamentally reshaped Finnish data-protection law regarding patient mental-health records and is widely cited as the most consequential mental-health data breach in European history.

ObscureIQ assessment: Exceptionally severe. Exposure can enable extortion, coercion, reputational harm, identity theft, and profound privacy violations tied to psychotherapy content and mental-health status.

Breach Impact

The institutional impact on Vastaamo was effectively terminal. The company entered bankruptcy proceedings and was liquidated. The Finnish Data Protection Ombudsman fined the parent company, and civil claims followed from many of the affected patients. Finnish authorities pursued criminal prosecution of the attacker through to conviction. The reputational impact extended across the Finnish private healthcare sector, raising concerns about whether private-equity-backed mental health providers were investing adequately in cybersecurity. The case has been formally cited in European data protection regulatory updates and has shaped subsequent regulatory expectations for mental-health data security across the EU. The institutional impact also included broader chilling effects on Finnish patients' willingness to seek private mental health care, particularly for sensitive conditions where therapy-note exposure could affect employment or family relationships.

About Vastaamo

Vastaamo (Psykoterapiakeskus Vastaamo Oy) was a private psychotherapy services provider headquartered in Espoo, Finland. Founded in 2008, the company operated a network of psychotherapy clinics across Finland and provided in-person and remote therapy services through a centralized electronic patient-records system. Vastaamo was at one point Finland's largest private mental health services provider, handling tens of thousands of patient relationships including children, adolescents, and adults. As a HIPAA-equivalent provider operating under Finnish health-data regulations, Vastaamo maintained extremely sensitive patient identity, contact, billing, and detailed mental-health treatment records, including verbatim therapy session notes and clinician observations from individual sessions.

Why They Hold Your Data

Psychotherapy providers collect extremely sensitive patient identity, contact, billing, and detailed mental-health treatment records, including notes and therapy-related disclosures.

Recent Developments

The Vastaamo breach is one of the most consequential healthcare data incidents in European history and led to fundamental changes in Finnish data protection law. Vastaamo declared bankruptcy and was liquidated in early 2021, with the parent company unable to recover from the regulatory, civil, and reputational consequences. In 2024, Finnish authorities convicted the attacker, Aleksanteri Kivimäki, on multiple counts including aggravated extortion, aggravated breach of personal data, aggravated dissemination of information violating personal privacy, and additional charges related to extortion of individual Vastaamo patients. Kivimäki received a six-year prison sentence. The Finnish parliament tightened patient-data security requirements following the breach, and the European data-protection community continues to reference Vastaamo as the leading case study in mental-health data breach harm.

Data Points Exposed

4 verified field types
Email Address
Full Name High
Health Information Critical
Social Security Number Critical

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Identity theft and synthetic identity construction using government-issued IDs
  • Targeted phishing campaigns using exposed email addresses
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Insurance fraud & employment discrimination
  • Full identity theft & synthetic identity fraud

Threat Actor: Aleksanteri Kivimäki ("ransom_man") - convicted

Aleksanteri Kivimäki ("ransom_man") - convicted
Ransomware

Attribution and method are based on available breach intelligence. Reported attack vector: Ransomware.

Recommended Actions

If you believe your information may be included:

Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
IdentityTheft.gov
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Vastaamo breach?

Vastaamo, a Finnish psychotherapy services provider that was at one point the largest private mental-health provider in Finland, suffered a data breach with two distinct phases. The original intrusion occurred between late 2018 and early 2019, exposing approximately 30,000 patient records from…

What data was exposed?

Verified fields include Email Address, Full Name, Health Information, Social Security Number.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation