2 min read

Ex-CEO of hacked therapy clinic sentenced for failing to protect patients' session notes


April 20, 2023

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Ex-CEO of hacked therapy clinic sentenced for failing to protect patients' session notes

A Finnish court has given the former CEO of a chain of psychotherapy clinics a suspended jail sentence after failing to adequately protect highly sensitive notes of patients' therapy sessions from falling into the hands of blackmailing hackers.

Ville Tapio, the then-CEO of therapy clinic Vastaamo, was unceremoniously fired after a hacker stole the psychotherapy session notes related to tens of thousands of patients, published some of them on the dark web, and demanded a 450,000 Euro ransom.

To compound the pressure on innocent victims, the hacker - who went by the name "Ransom Man", then actually emailed patients threatening to release records of their individual psychotherapy sessions if they did not pay him their own Bitcoin ransom.

To rub salt into the wound, the hacker bragged about the poor state of Vastaamo's security, saying that the company had used a username/password combination of "root/root."

A subsequent investigation found that Vastaamo's customer database and sensitive sessions notes had been first breached in November 2018, and then again in mid-March 2019.  Despite CEO Ville Tapio knowing about the hack in 2019, he did not inform the authorities or other members of the company's board - and it only became public knowledge 18 months later, leading to Tapio's dismissal.

To make matters worse, the company's database of patients' contact details and therapy sessions notes were not properly encrypted, making it easy for extortionists to exploit the information.

Unsurprisingly, Vastaamo declared itself bankrupt as a result of the scandal.

This week, Helsinki District Court handed Ville Tapio with a three month suspended sentence.  The court said that the severity of the crime, and the length of time that the highly sensitive data was not adequately protected from falling into the wrong hands, meant that a "Tapio must receive a prison sentence for the act.

However, the court then said that Tapio had no previous criminal record, it would impose a suspended sentence instead.

For his part, Tapio has denied committing an offence, and claimed that the responsibility for the breach fell on the shoulders of former members of the company's IT team.

In February this year, French authorities revealed that they had arrested 25-year-old Julius "Zeekill" Kivimäki, a self-professed member of the Lizard Squad gang, in connection with the extortion attempt.

Finnish authorities had identified Kivimäki as possibly being "Ransom Man" after an examination of the 10GB file of Vastaamo's records uploaded to the dark web was also found to have (presumably accidentally) included the entire contents of the home folder from his PC.

Once again, it's clear that you don't have to be a genius to be a cybercriminal.  Or a therapy clinic's CEO for that matter.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like