Ask Onix
Ransom emails trigger national crisis
In October 2020, Meri-Tuuli Auer, a 30-year-old resident of Helsinki, discovered an alarming email in her spam folder. The message included her full name and Finnish social security number-details only legitimate institutions should possess. The sender claimed to have breached Vastaamo, a psychotherapy provider, and demanded €200 in Bitcoin within 24 hours. Failure to comply would result in the public release of her therapy records, including transcripts of her private sessions.
The threat sent Auer into a spiral of fear. She took sick leave from work, isolated herself at home, and avoided public spaces. She was one of 33,000 Vastaamo patients targeted in the attack, which exposed deeply personal disclosures-from suicide attempts to childhood trauma. The breach became Finland's most severe criminal incident, prompting then-Prime Minister Sanna Marin to convene an emergency cabinet meeting.
Dark web leak compounds trauma
Before contacting patients, the hacker published the entire stolen database on the dark web. Despite efforts to contain the fallout, the records-containing intimate details of patients' mental health struggles-began circulating online. The extortionist initially released 100 records daily, pressuring Vastaamo to pay a €400,000 ransom.
Auer, who had shared secrets with her therapist she had never told her family, felt compelled to check if her records were among those leaked. Though she found her files had not yet been published, witnessing others' records being mocked online deepened her distress. "A 10-year-old's therapy notes were treated as a joke," she recalled.
Investigation leads to arrest after two years
Finnish authorities initially doubted they could identify the perpetrator. Marko Lepponen, the detective leading the case, described the scale as unprecedented. However, in October 2022, police named Julius Kivimäki, a known cybercriminal, as the prime suspect. He was arrested in France in February 2023 and extradited to Finland.
Due to the sheer number of plaintiffs-21,000 former Vastaamo patients-the trial was broadcast in public venues, including cinemas. Auer attended one screening and was struck by Kivimäki's ordinary appearance. "He looked like any young Finnish man," she said. In 2023, he was convicted and sentenced to six years and seven months in prison, though he continues to deny involvement.
Lasting damage and resilience
The breach's impact persists. A search engine on the dark web now allows users to locate therapy records by name, perpetuating victims' exposure. Auer's lawyer confirmed at least two suicides linked to the leak, while others abandoned therapy entirely, fearing further violations.
Auer requested a copy of her records from Vastaamo. The notes, which she shared with reporters, described her as "angry, impulsive, and bitter," with "interpersonal difficulties." She was devastated by the clinical tone. "It made me pity who I used to be," she said.
Reclaiming agency through transparency
Rather than retreat, Auer chose to confront the breach publicly. She posted about her experience on social media, revealing her secret relationship with an older man-something she had never disclosed to her family. The response was overwhelmingly supportive.
She later published a book, Everyone Gets to Know, to reframe her narrative. "At least I control the story now," she explained. While her records remain online, she has learned to compartmentalize the trauma. "For my wellbeing, I don't dwell on it."
"The victims' suffering was acknowledged by the court. That validation mattered."
Meri-Tuuli Auer
