Finland Issues Wanted Notice for Hacker in Massive Psychotherapy Data Breach
Finnish authorities have issued a wanted notice for convicted hacker Aleksanteri Kivimäki in connection with the 2020 Vastaamo data breach, which compromised sensitive patient records.

Finnish police have issued a wanted notice for Aleksanteri Kivimäki, a convicted hacker, following the Supreme Court's refusal to hear his appeal. This decision upholds a lower court's ruling that sentenced Kivimäki to nearly seven years in prison for his role in the 2020 Vastaamo data breach, which involved hacking the psychotherapy provider and subsequently extorting both the company and its patients.
The Eastern Uusimaa Police stated that the wanted notice was issued at the request of Finland's Criminal Sanctions Agency. Law enforcement has been directed to arrest Kivimäki if he is located and to ensure he serves the remainder of his sentence at Vantaa Prison. Kivimäki's lawyer indicated that the suspect is believed to be outside of Finland, potentially complicating international efforts to apprehend him.
The Court of Appeal found Kivimäki guilty of aggravated data breach, attempted extortion, and unlawfully distributing private information. The judges characterized the crimes as meticulously planned, motivated by financial gain, and causing exceptional harm to a large number of particularly vulnerable victims. While the court acknowledged the severity of the offenses, it reduced Kivimäki's sentence by one month due to compensation agreements reached with some victims.
Throughout the legal proceedings, Kivimäki has maintained his innocence, arguing that the prosecution's case relied heavily on circumstantial evidence. He challenged the digital evidence linking him to the hack and disputed the cryptocurrency transactions associated with the extortion scheme. Notably, Kivimäki was released from pretrial detention in September 2025, as the court determined he had already served sufficient time awaiting trial.
The Vastaamo breach, which occurred in 2018, came to light in 2020 when the attacker first attempted to extort the company. Subsequently, demands were made directly to thousands of patients. When many refused to comply, highly sensitive therapy notes and patient records were published online.
The stolen database contained information on approximately 33,000 patients, with over 24,000 individuals reporting that they received extortion demands. This case became the largest criminal case in Finnish history by victim count, with many affected individuals being children or those undergoing treatment for severe psychological trauma.
With the Supreme Court's decision not to hear the appeal, Kivimäki's conviction is now final. Finnish authorities are actively seeking his whereabouts to ensure he completes his prison sentence, highlighting the ongoing pursuit of justice in one of Finland's most significant cybercrime cases.