Finnish Police Issue Wanted Notice for Aleksanteri Kivimäki After Supreme Court Finalises Vastaamo Sentence
AK
Alex Kim Threat intelligence editor · Updated Jul 15, 2026, 7:26 PM EDT
Finnish Police Issue Wanted Notice for Aleksanteri Kivimäki After Supreme Court Finalises Vastaamo Sentence
Finnish police have issued a public wanted notice for Aleksanteri Kivimäki after the Supreme Court on 13 July 2026 refused leave to appeal, making final his nearly seven-year prison sentence for the Vastaamo psychotherapy data breach and mass patient extortion. Eastern Uusimaa Police, acting at the request of the Criminal Sanctions Agency, instructed officers to arrest him and transfer him to Vantaa Prison to serve the remainder of his term. His lawyer, Peter Jaari, said he does not know his client’s location but believes Kivimäki is outside Finland.
The Helsinki Court of Appeal had sentenced Kivimäki to six years and 11 months for aggravated data breach, attempted extortion and unlawfully distributing private information. Judges described the crimes as carefully planned, financially motivated and exceptionally harmful to vulnerable victims. The term was reduced by one month after compensation agreements with some victims. The Court of Appeal released him from detention in September 2025 after determining further pretrial custody could violate his rights; he remained free while appeals continued. With the Supreme Court’s refusal, the conviction is final and authorities are seeking his return.
How the Systems Were Compromised
Psykoterapiakeskus Vastaamo, a private psychotherapy chain that combined clinics with remote sessions and employed more than 220 therapists at its peak, stored records in a bespoke browser-based electronic health record system backed by a MySQL database. The system was not a hardened commercial clinical platform. Investigators and technical reconstructions established that the database was reachable directly from the public internet with insufficient firewall restrictions. The root administrator account had no password. Patient data—including names, contact details, Finnish social security numbers and detailed psychotherapy session notes—was stored in plaintext without encryption or meaningful anonymisation. Remote administrative access enabled for convenience further expanded the attack surface.
Unauthorised access and full database exfiltration occurred in November 2018 and again in March 2019. The company did not publicly disclose the incident until autumn 2020. The root cause was not novel malware or a sophisticated zero-day exploit but gross misconfiguration of the kind internet-wide scanners can locate within minutes—negligence, not nation-state sophistication. Approximately 33,000 patients were affected.
B
Plaintext EHR: notes + SSN + PII
Exfiltration 2018–2019
Company ransom demand
Individual patient extortion + dark-web leaks
Internet-exposed MySQL] --> B[Root login no password
Extortion Campaign and Human Harm
Operating under the handle ransom_man, the attacker first demanded 40 bitcoin—roughly €450,000 at the time—from Vastaamo for non-publication. When the company refused and involved police, staged dumps of 100 patient records per day appeared on Tor and Finnish forums. Records were selected for high-harm content. Mass emails then targeted patients directly. Messages included the recipient’s name and social security number for credibility and demanded €200 in bitcoin within roughly 24 hours, rising to €500 if unpaid. More than 24,000 people reported receiving such demands, making the case Finland’s largest criminal matter by victim numbers.
When payments proved limited, the full database was released online. Payment no longer offered protection. Victims described panic attacks, isolation and a profound sense of public violation. Lawyers and investigative reporting have linked at least two suicides to discovery of the leaked therapy notes. Children and patients receiving treatment for severe trauma were among those exposed; public figures appeared in cherry-picked leaks. Psychological harm has persisted for years.
Legal Timeline
Access and exfiltration took place in 2018–2019. Public revelation, board investigation, the dismissal of CEO Ville Tapio and the start of staged leaks and patient emails followed in late September–October 2020. Mass victim reporting ensued. Vastaamo entered bankruptcy in February 2021. An international arrest warrant was issued in October 2022. French police arrested Kivimäki near Paris in Courbevoie on 3 February 2023 after a domestic incident exposed a false identity; he was extradited to Finland.
The Länsi-Uusimaa District Court found him guilty in April 2024 and imposed six years and three months. The Helsinki Court of Appeal later increased the sentence to six years and 11 months. The Supreme Court’s refusal of leave to appeal on 13 July 2026 rendered the conviction final and triggered the wanted notice. Kivimäki has consistently denied the charges, arguing the evidence is circumstantial and challenging server logs and cryptocurrency links. As a teenager known as Zeekill and linked to Lizard Squad activity, he received a 2015 suspended sentence for tens of thousands of computer offences.
In a parallel regulatory track, Finland’s Data Protection Authority imposed a €608,000 GDPR fine on Vastaamo for security and notification failures. Criminal proceedings against the former CEO form a separate matter and should not be conflated with Kivimäki’s final conviction.
Current Manhunt and Enforcement Challenges
The wanted notice is active. Location remains unknown; counsel’s assessment places him outside Finland. His prior use of false identities and mobility across Europe, including the 2023 French arrest, illustrate the difficulty of locating a digitally native offender who had a window of freedom after release pending final appeal. European Arrest Warrant and mutual legal assistance frameworks are the natural instruments if he is found within the Schengen or broader EU area, building on the earlier French extradition. Residual sentence after credit for time already served remains to be enforced once he is located.
Broader Trend: Intimate Data as Extortion Leverage
Vastaamo demonstrates a shift from classic ransomware that targets business continuity to direct-to-victim extortion that weaponises shame and permanent exposure. After the institutional demand failed, value moved to individual blackmail at price points optimised for volume conversion. The combination of company ransom, individual demands and a free full dump maximised harm and undermined any remaining “pay to protect” logic.
Therapy notes rank among the highest-sensitivity data categories. Any organisation holding intimate, non-anonymised longitudinal records—mental health, reproductive health, social work, school counselling or employee assistance programmes—faces the same playbook if perimeter controls and encryption fail.
Defensive and Policy Lessons
Finnish authorities responded with concrete measures. Victims gained a fast-track route to change personal identity codes after compromise, addressing identity-theft risk from exposed social security numbers. Policymakers pushed private social and healthcare providers toward the national Kanta platform, which offers stronger electronic identification and security. Oversight of critical-sector cybersecurity moved toward greater centralisation. The GDPR fine underscored notification and security obligations.
For healthcare CISOs and privacy officers the priorities are clear: treat therapy and free-text clinical notes as crown jewels; plan for victim-side extortion communications, not only corporate ransomware playbooks; and require rigorous vendor and bespoke EHR due diligence on defaults, encryption, network architecture and remote-access paths. Timely breach notification remains essential; delay compounds both legal exposure and human harm.
The Vastaamo case remains Europe’s landmark illustration of intimate-data extortion. With the conviction now final and a wanted notice active, the search for Aleksanteri Kivimäki continues while the operational lessons for every organisation that holds sensitive personal records remain urgent.