Elina TossavainenWhen Meri-Tuuli Auer saw the subject line in her junk folder, she knew it was no ordinary spam email. It contains his full name and his social security number – the unique code that Finnish people use to access public services and banking.
The email is full of details about Auer that no one else needs to know.
The sender knows that he has psychotherapy through a company called Vastaamo. They said they had hacked Vastaamo’s patient database and wanted Auer to pay €200 (£175) in bitcoin within 24 hours, or the price would rise to €500 within 48 hours.
If he doesn’t pay, they wrote, “your information will be published for all to see, including your name, address, phone number, social security number and detailed patient records with transcripts of your conversations with Vastaamo’s therapists”.
Meri-Tuuli Auer“That’s the fear,” Auer, 30, told me. “I took sick leave from work, I shut myself in the house. I didn’t want to leave. I didn’t want people to see me.”
He was one of 33,000 Vastaamo patients held to ransom in October 2020 by a nameless, faceless hacker.
They share their most intimate thoughts with their therapists including details about suicide attempts, affairs and child sexual abuse.
In Finland, a country of 5.6 million people, everyone seems to know someone who has had their therapy records stolen. It became a national scandal, Finland’s biggest crime, and Prime Minister Sanna Marin earlier called an emergency meeting of ministers to discuss a response.
But it was too late to stop the hacker.
Before sending the emails to Vastaamo’s patients, the hacker published the entire database of records stolen from the company on the dark web and an unknown number of people were able to read or download a copy. These notes have been circulating ever since.
Auer told her therapist things she didn’t want her closest family members to know – about her heavy drinking, and a secret relationship she had with an older man.
Now, his worst fear has come true.
But instead of destroying him, the hack made him realize that he was stronger than he thought.
Meri-Tuuli AuerAuer’s flat, on the outskirts of Helsinki, looks cheerful. Barbie memorabilia fills her shelves and there is a pole dancing pole in the middle of her living room. But don’t be fooled by how things look, says Auer. She struggled with depression and anxiety most of her life.
“I’m outgoing and very confident and I like to be with people,” Auer says, “but I get the idea that they all think I’m stupid and ugly, and that my life is a series of mistakes.”
Auer first sought help in 2015. She told her Vastaamo therapist about her mental problems, her drinking and her 18-year-old relationship with an older man she kept from her family. He said he completely trusted his therapist and with his help he made real progress. He had no idea what he had written in his notes of their conversation.
By the time he received the ransom email, news had already broken about the Vastaamo hack. Three days earlier, the extortionist began leaking therapy notes on the dark web in batches of 100 a day, in the hope of forcing the company to pay the much larger ransom – the bitcoin equivalent of around £400,000 – that he had been demanding from them for weeks.
Auer said he was compelled to watch them.
“I’ve never used the dark web before. But I thought to myself, I just need to see if my records are there.”
When he discovered they weren’t, he closed the file and didn’t read anyone else’s records, he said. But he saw how other people on the dark web mocked the plight of patients. “A 10-year-old goes to therapy, and people find it funny.”
And a few days later, when it became clear that every Vastaamo patient’s records had been published, Auer’s mental health began to deteriorate.
Not sure who was responsible, or who could read his most private thoughts, he was afraid to take public transportation, leave the house, or even open the door to the postman. He doubts the hacker will be found.
Meri-Tuuli AuerFinnish detectives also fear that they will not be able to find the suspect because of the amount of data they have to sift through.
“I can’t even imagine the scale of it. This is not a normal case,” said Marko Lepponen, the detective leading the investigation for the Finnish police.
But after two years of investigation, in October 2022, they named their suspect: Julius Kivimäki, a known cybercriminal.
In February 2023 Kivimäki was arrested in France and brought back to Finland to face charges.
There was no courtroom large enough to accommodate the 21,000 former patients of Vastaamo who registered themselves as plaintiffs in the criminal case, so screenings were held in public places including movie theaters to give them a chance to watch the trial.
Determined to see Kivimäki face justice, Auer attends one of the screenings and is amazed at his unremarkable appearance.
“He looks like a regular Finnish young man,” he told me. “It makes me feel like it could be anybody.”
When he was found guilty, and sentenced to six years and seven months in prison, he said it felt like a validation.
“Whatever sentence is given to him will never make up for everything. The suffering of the victims was seen in court – I am grateful for that.”
Kivimäki continues to deny being responsible for the hack.
EuropolIn the months after he learned about the hack, Auer requested a hard copy of his records from Vastaamo.
His notes sat in a thick stack on the table between us as he told me what happened.
Although their records were released more than five years ago, Vastaamo patients continue to be victimized. Someone even created a search engine that allows users to search for records on the dark web just by typing in a person’s name.
Auer agreed to share some of his leaked therapy records with me.
“The patient is often angry, demanding, bitter,” he said, reading some of the first notes his therapist wrote about their sessions. “The patient recounts their past in a rambling manner. There are some interpersonal difficulties that arise from the patient’s fragile nature, which is typical of their age.”
When he read it for the first time he was devastated, Auer said. “I was hurt when he described me. I felt sorry for who I was before.”
He said the data breach undermined patient trust. “There are a lot of people who are Vastaamo clients who have been coming to therapy for years but now won’t book another therapy session.”
The lawyer representing Vastaamo’s victims in a civil suit against the hacker told me he knows of at least two cases where people took their own lives after realizing their therapy notes had been stolen.
Auer decided to face her fear. He posted on social media about the hack, letting everyone know that he was one of the victims.
“It’s easier for me to know that everyone who knows me already knows,” he said. He told his family about what was in his leaked records, including a secret affair he had never told them about before. “People have been very supportive.”
In the end, she chose to take back control of her story by publishing a book about her experiences. Loosely translated, the title is Everyone Gets to Know.
“I’m turning it into a narrative. At least I can tell my side of the story — the one that doesn’t appear in patient records.”
Auer has come to accept that his secrets will always come out.
“For my own sake, it’s better not to think about it.”