0
As soon as Meri-Tuuli Auer saw the email subject in the email folder, spamshe knew that this was not a spam common. It contained his full name and social security number – the Finnish equivalent of the Brazilian CPF.
The email was full of details about her that no one else should know.
The sender knew she was undergoing psychotherapy through a company called Vastaamo. They said they had hacked into Vastaamo’s patient database and wanted Auer to pay 200 euros (R$1,248) in bitcoins within 24 hours, or the price would rise to 500 euros within 48 hours.
If she didn’t pay, they wrote, “her information will be published for all to see, including her name, address, telephone number, Social Security number, and detailed patient record containing transcripts of her conversations with Vastaamo therapists.”
Credit,Personal file
“That’s when the fear started,” says 30-year-old Auer. “I took sick leave from work, I locked myself in the house. I didn’t want to go out. I didn’t want people to see me.”
She was one of 33,000 Vastaamo patients who had their therapy records stolen in October 2020 by an anonymous hacker.
They had shared their most intimate thoughts with their therapists, including details about suicide attempts, extramarital affairs and child sexual abuse.
In Finland, a country of 5.6 million people, it seemed like everyone knew someone who had their therapy records stolen.
The case became a national scandal, the biggest cybercrime in Finnish history, and then-Prime Minister Sanna Marin called an emergency meeting with ministers to discuss a response.
But it was already too late to stop the hacker.
Before sending the emails to Vastaamo patients, the hacker published the entire database with the company’s stolen records on dark weband an unknown number of people have read or downloaded a copy. These notes have been circulating ever since.
Auer had told his therapist things that not even his closest family members knew — about his excessive alcohol consumption and a secret relationship he had with a much older man.
Now, his worst fears had come true.
But instead of destroying her, the hacker attack made her realize that she was much more resilient than she had ever imagined.
Credit,Personal file
Auer’s apartment, on the outskirts of Helsinki, Finland’s capital, seems like a happy place.
Barbie objects fill its shelves and there is a lamppost pole dance in the center of the living room. But don’t be fooled by appearances, says Auer. She has struggled with depression and anxiety for almost her entire life.
“I’m outgoing, very confident, and I love being around people,” says Auer. “But I have the feeling that everyone thinks I’m stupid and ugly, and that my life is a series of mistakes.”
Auer first sought help in 2015. She told her Vastaamo therapist about her mental health problems, her alcohol consumption and a relationship she had at age 18 with an older man, which she kept secret from her family.
She says she trusted her therapist completely and, with her help, made real progress. She had no idea what she had written in her notes from the conversations.
When he received the email with the ransom demand, news of the hacker attack on Vastaamo had already spread.
Three days earlier, the blackmailer had begun publishing notes from therapy sessions on dark web in batches of 100 per day, hoping to pressure the company into paying a much larger ransom — the equivalent of around 400,000 euros (R$2.5 million) in bitcoins — that he had been demanding for weeks.
Auer says she felt compelled to dig through the leaked notes.
“I had never used the dark web before. But I thought, ‘I need to see if my records are there.’”
When she discovered they weren’t, she closed the file and didn’t read anyone else’s records, she says. But did you see how other people in dark web they mocked the suffering of patients.
“A 10-year-old had gone to therapy and people thought it was funny.”
And a few days later, when it became clear that the records of all Vastaamo patients had been published, Auer’s mental health began to deteriorate.
Unsure of who was responsible, or who could have read her innermost thoughts, she was terrified of using public transport, leaving the house or even opening the door for the postman.
She doubted the hacker would be found.
Credit,Personal file
Finnish detectives also feared they would not find the suspect, given the volume of data they needed to analyze.
“I couldn’t even imagine the scale of this. This is not a normal case,” says Marko Lepponen, the detective who led the investigation for the Finnish police.
But after two years of investigation, in October 2022, they named their suspect: Julius Kivimäki, a known cybercriminal.
In February 2023, Kivimäki was arrested in France and transported back to Finland to face charges.
No courtroom was large enough to accommodate the 21,000 former Vastaamo patients who registered as parties to the criminal case, so screenings were held in public spaces, including cinemas, so they could watch the trial.
Determined to see Kivimäki face justice, Auer attended one of the screenings and was struck by the criminal’s ordinary appearance.
“He looks like an ordinary young Finn,” she says. “It made me think it could have been anyone.”
When he was found guilty and sentenced to six years and seven months in prison, she said she felt like she had received confirmation.
“Any sentence he received would never make up for it all. The victims’ suffering was recognized by the court – and I was grateful for that.”
Kivimäki continues to deny being responsible for the cyber attack.
Credit,Europol
In the months following the incident, Auer requested a printed copy of his records from Vastaamo.
Her notes are stacked in a thick pile on the table as she tells what happened.
Even though its records were released more than five years ago, Vastaamo patients continue to be victims. Someone even created a search engine that allows users to find records in dark web just typing a person’s name.
Auer agrees to share some of his leaked therapy records with me.
“The patient is largely angry, impulsive and bitter,” she says, reading some of the first notes her therapist made about the sessions.
“The patient reports her past in a confusing way. There are some interpersonal difficulties arising from her fragile temperament, typical for her age.”
When he first read the notes, Auer says he was heartbroken. “I was hurt by the way she described me. It made me feel sorry for the person I was.”
She claims that the data leak has shaken patients’ trust.
“There are many people who were Vastaamo clients, who had been in therapy for years, but now they will never book a session again.”
The lawyer representing Vastaamo victims in a civil case against the hacker says she knows of at least two cases in which people took their own lives after discovering their therapy records had been stolen.
Auer decided to face his fears head on. She posted about the attack on social media, telling everyone that she had been one of the victims.
“It was so much easier for me to know that everyone who knew me already knew,” she says. She spoke to her family about the contents of her leaked records, including the secret relationship she had never revealed. “People were very supportive.”
Finally, she decided to take back control of her story by publishing a book about her experiences. The title is “Everybody Knows”, in free translation.
“I turned it all into a narrative. At least I can tell my side of the story – the one that isn’t visible in the patient charts.”
Auer has accepted that his secrets will always be exposed.
“For my own well-being, it’s best to just not think about it.”
